auto-generated queries from markdown notes

2026-06-11 10:21:20 +00:00 · 2020-11-23 12:08:31 -06:00
parent a3c07c2199
commit 7c09d914d1
85 changed files with 1414 additions and 0 deletions
@@ -0,0 +1,14 @@
 title: DD Data Destruction
 description: Detection of data destruction with the DD command on *nix operating systems. Alternatively, DV 3.0 with 4.4 Agents will support TgtFileDeletionCount > "100" query for detection of over 100 files deleted, which can be combined with *FileType* for filtering.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Impact
   technique: T1485
   subtechnique: null
 operating_system: linux
 query: AgentOS In ("linux","osx") AND TgtProcName = "dd" AND TgtProcCmdLine ContainsCIS "of="
 false_positives: null
 tags: null
@@ -0,0 +1,15 @@
 title: Disable Syslog
 description: Detect disabling of Linux Syslog service.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion
   technique: T1562
   subtechnique: null
 operating_system: linux
 query: TgtProcName In Contains ("service","chkconfig","systemctl") AND TgtProcCmdLine
  In Contains ("rsyslog stop","off rsyslog","stop rsyslog","disable rsyslog")
 false_positives: null
 tags: null
@@ -0,0 +1,16 @@
 title: Disabling Linux Firewall
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 description: Detection of Linux firewall being disabled.
 mitre:
   tactic: Defense Evasion
   technique: T1562
   subtechnique: null
 operating_system: linux
 query: (SrcProcName In Contains ("service","chkconfig") AND SrcProcCmdLine In Contains
  ("off","stop") AND SrcProcCmdLine ContainsCIS "tables") OR (TgtProcName = "systemctl"
  AND TgtProcCmdLine In Contains ("stop","disable") AND TgtProcCmdLine Contains "firewalld")
 false_positives: null
 tags: null
@@ -0,0 +1,14 @@
 title: Local Account Added Linux
 description: Query all instances of local accounts being Linux and OSX.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Persistence
   technique: T1136
   subtechnique: null
 operating_system: linux
 query: SrcProcCmdLine In Contains Anycase ("useradd")
 false_positives: General account maintenance.
 tags: null
@@ -0,0 +1,18 @@
 title: Account Access Removal
 description: Detects the deletion of a local user account or removal of Active Directory
  groups through powershell cmdlets. No detection for account password resets for
  purpose of impact due to false detections.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Impact
   technique: T1531
   subtechnique: null
 operating_system: windows
 query: SrcProcCmdline RegExp "net\s+user(?:(?!\s+/delete)(?:.|\n))*\s+/delete" OR
  TgtProcCmdLine  ContainsCIS "Remove-ADGroupMember" OR SrcProcCmdScript ContainsCIS
  "Remove-ADGroupMember"
 false_positives: null
 tags: null
@@ -0,0 +1,22 @@
 title: Account Manipulation
 description: Both Atomic tests for account manipulation rely on PowerShell AD module,
  so we can catch both with one query. We have the query encapsulated so that we can
  filter it at the end by Parent Process, as some Logon Scripts and Configuration
  Items (SCOM, SCCM) may also cause noise. You may want to additionally filter out
  certain SrcProcUser to reduce noise. What cannot be helped, CommandScript detection
  on import of Powershell AD cmdlets.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Persistence
   technique: T1098
   subtechnique: null
 operating_system: windows
 query: ( SrcProcCmdLine In Contains Anycase ("New-ADUser","Rename-LocalUser","Set-LocalUser")
  OR SrcProcCmdScript In Contains Anycase ("New-ADUser","Rename-LocalUser","Set-LocalUser")
  OR SrcProcCmdLine RegExp "\bAdd-ADGroupMember\b.*\bDomain Admins\b" OR SrcProcCmdScript
  RegExp "\bAdd-ADGroupMember\b.*\bDomain Admins\b" ) AND SrcProcParentName Not In
  ("WmiPrvSE.exe","AppVClient.exe","svchost.exe","CompatTelRunner.exe")
 false_positives: null
 tags: null
@@ -0,0 +1,15 @@
 title: Allow Executable Through Defender Firewall
 author: keyboardcrunch
 description: Detect allowance of executables through Defender Firewall.
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion
   technique: T1562
   subtechnique: 002
 operating_system: windows
 query: TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "add rule" AND TgtProcCmdLine
  ContainsCIS "program=" AND TgtProcCmdLine In Contains Anycase ("C:\Users","C:\Windows\Temp")
 false_positives: null
 tags: null
@@ -0,0 +1,16 @@
 title: Allow SMB and RDP on Defender Firewall
 description: Detects addition of Defender firewall rules for SMB and RDP.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion
   technique: T1562
   subtechnique: 002
 operating_system: windows
 query: (TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "remote desktop"
  AND TgtProcCmdLine ContainsCIS "enable=Yes") OR (TgtProcName = "netsh.exe" AND TgtProcCmdLine
  ContainsCIS "file and printer sharing" AND TgtProcCmdLine ContainsCIS "enable=Yes")
 false_positives: null
 tags: null
@@ -0,0 +1,15 @@
 title: AMSI Bypass Through InitFailed
 description: Detects AMSI bypass through InitFailed.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion
   technique: T1562
   subtechnique: 001
 operating_system: windows
 query: TgtProcCmdLine ContainsCIS "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)"
  OR SrcProcCmdScript ContainsCIS "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)"
 false_positives: null
 tags: null
@@ -0,0 +1,15 @@
 title: Application Shimming
 description: Detects application shimming through sdbinst or registry modification.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Privilege Escalation, Persistence
   technique: T1546
   subtechnique: 008
 operating_system: windows
 query: (SrcProcName = "sdbinst.exe" and ProcessCmd ContainsCIS ".sdb") OR ((RegistryKeyPath
  ContainsCIS "AppInit_DLLs" OR RegistryPath  ContainsCIS "AppCompatFlags") AND (EventType
  = "Registry Value Create" OR EventType = "Registry Value Modified"))
 false_positives: null
 tags: null
@@ -0,0 +1,16 @@
 title: Assoc Default File Change
 description: Detection of file association change through assoc command.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Privilege Escalation
   technique: T1546
   subtechnique: 008
 operating_system: windows
 query: '--- File assoc change by assoc command
  TgtProcCmdLine ContainsCIS "assoc" and TgtProcCmdLine RegExp ".*=.*"'
 false_positives: null
 tags: null
@@ -0,0 +1,14 @@
 title: AT Scheduled Task
 description: Detect interactive process execution scheduled by AT command.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Execution, Persistence, Privilege Escalation
   technique: T1053
   subtechnique: 002
 operating_system: windows
 query: TgtProcName = "at.exe" AND TgtProcCmdLine ContainsCIS "/interactive "
 false_positives: null
 tags: null
@@ -0,0 +1,20 @@
 title: BITS Jobs
 description: The below query will find and remote content downloads from DesktopImgDownldr
  or BitsAdmin processes, Start-BitsTransfer cmdlet downloads, and excludes system
  processes and noise with SrcProcParentName Not In ().
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion, Persistence
   technique: T1197
   subtechnique: null
 operating_system: windows
 query: (( TgtProcName In Contains Anycase ("bitsadmin.exe","desktopimgdownldr.exe")
  AND ( TgtProcCmdLine RegExp "https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)"
  OR TgtProcCmdLine ContainsCIS "/setnotifycmdline " ) ) OR ( TgtProcName = "powershell.exe"
  AND TgtProcCmdLine ContainsCIS "Start-BitsTransfer" ) ) AND SrcProcParentName Not
  In ("services.exe","smss.exe","wininit.exe")
 false_positives: null
 tags: null
@@ -0,0 +1,17 @@
 title: Browser Extension Installation
 description: This query takes a lazy approach to detecting the staging of xpi or crx
  extension packages for installation within Chrome and Firefox based browsers. Unsure
  how to filter our extension updates without excluding too much.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Persistence
   technique: T1176
   subtechnique: null
 operating_system: windows
 query: ( FileFullName RegExp "\bWebstore Downloads\b.*\.(crx)$" OR FileFullName RegExp
  "\bstaged\b.*\.(xpi)$" ) AND EventType = "File Creation"
 false_positives: null
 tags: null
@@ -0,0 +1,20 @@
 title: T1548.002 Bypass User Access Control
 description: Detection of UAC bypass through tampering with Shell Open for .ms-settings
  or .msc file types. Beyond this Atomic test, and to further UAC bypass detection,
  the below query includes detection for CMSTPLUA COM interface abuse by GUID. Noted
  issues with Sentinel Agent 4.3.2.86 detecting by registry key. All registry key
  paths were ControlSet001\Service\bam\State\UserSettings\GUID...
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion, Privilege Escalation
   technique: T1548
   subtechnique: 008
 operating_system: windows
 query: (SrcProcCmdLine ContainsCIS "ms-settings\shell\open\command" OR SrcProcCmdLine
  ContainsCIS "mscfile\shell\open\command") OR (TgtProcDisplayName = "COM Surrogate"
  AND TgtProcCmdLine ContainsCIS "{3E5FC7F9-9A51-4367-9063-A120244FBEC7}")
 false_positives: null
 tags: null
@@ -0,0 +1,19 @@
 title: Change Shell Open RegKeys
 description: Detection of file association changes. Detection by registry is noisy
  due to problem filtering on registry root, so install/uninstall apps create noise.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Persistence
   technique: T1546
   subtechnique: 008
 operating_system: windows
 query: '--- File assoc change by registry
  RegistryKeyPath In Contains Anycase ( "\shell\open\command" , "\shell\print\command"
  , "\shell\printto\command" ) AND EventType In ( "Registry Value Create" , "Registry
  Value Modified" )'
 false_positives: null
 tags: null
@@ -0,0 +1,19 @@
 title: Clear Windows Event Logs
 description: Detects the clearing of EventLogs through wevtutil (concise) as well
  as Clear-EventLog through CommandLine and CommandScript objects. Powershell cmdlet
  detection returns a lot of noise for the CommandScripts object, so filtering out
  SrcProcParentName may be required.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion
   technique: T1070
   subtechnique: 001
 operating_system: windows
 query: (TgtProcName  = "wevtutil.exe" AND TgtProcCmdLine ContainsCIS "cl ") OR ((SrcProcCmdLine
  ContainsCIS "Clear-EventLog" OR SrcProcCmdScript ContainsCIS "Clear-EventLog") AND
  SrcProcParentName Not In ("WmiPrvSE.exe","PFERemediation.exe","svchost.exe"))
 false_positives: null
 tags: null
@@ -0,0 +1,16 @@
 title: CMSTP
 description: CMSTP is rarely used within my environment, so the below detection has
  low false positives without filtering, though you may want to limit query to inf
  files located in personal/writeable directories.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion
   technique: T1218
   subtechnique: 003
 operating_system: windows
 query: SrcProcName = "cmstp.exe" AND SrcProcCmdLine RegExp "^.*\.(inf)"
 false_positives: null
 tags: null
@@ -0,0 +1,18 @@
 title: Compile After Delivery
 description: Both Atomic tests for this technique leverage csc.exe for compilation
  of code. The below will detect specific compilation of executables as well as dynamic
  compilation through detection of csc.exe creating executable files (both dll and
  exe). Filter noise from later portion of query using SrcProcParentName Not In ().
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion
   technique: T1027
   subtechnique: 004
 operating_system: windows
 query: (TgtProcName = "csc.exe" AND SrcProcCmdLine Contains "/target:exe") OR (SrcProcName  =
  "csc.exe" AND TgtFileIsExecutable = "true" AND SrcProcParentName Not In ("svchost.exe"))
 false_positives: null
 tags: null
@@ -0,0 +1,17 @@
 title: Compiled HTML File
 description: Breaking down the below query, the first section will detect Atomic Test
  1 where a malicious chm file spawns a process, whereas the second half of the query
  detects hh.exe loading a remote payloads.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion
   technique: T1218
   subtechnique: 001
 operating_system: windows
 query: (SrcProcName = "hh.exe" AND EventType = "Open Remote Process Handle") OR (SrcProcName
  = "hh.exe" AND SrcProcCmdLine RegExp "https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)")
 false_positives: null
 tags: null
@@ -0,0 +1,16 @@
 title: COR Profiler
 description: Detection of unmanaged COR profiler hooking of .NET CLR through registry
  or process command.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion, Persistence, Privilege Escalation
   technique: T1574
   subtechnique: 012
 operating_system: windows
 query: (SrcProcCmdScript Contains "COR_" AND SrcProcCmdScript Contains "\Environment")
  OR RegistryKeyPath Contains "COR_PROFILER_PATH" OR SrcProcCmdScript Contains "$env:COR_"
 false_positives: null
 tags: null
@@ -0,0 +1,19 @@
 title: Deobfuscate or Decode Files
 description: This Atomic tests detections of certutil encoding and decoding of executables,
  and the replication of certutil for bypassing detection of executable encoding.
  Our query below will detected renamed certutil through matching of DisplayName,
  as well as encoding or decoding of exe files.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion
   technique: T1140
   subtechnique: null
 operating_system: windows
 query: (TgtProcName != "certutil.exe" AND TgtProcDisplayName = "CertUtil.exe") OR
  ( TgtProcDisplayName = "CertUtil.exe" AND (TgtProcCmdLine RegExp "^.*(-decode).*\.(exe)"
  OR TgtProcCmdLine RegExp "^.*(-encode).*\.(exe)") )
 false_positives: null
 tags: null
@@ -0,0 +1,14 @@
 title: Disable Defender Firewall
 description: Detection on disabling Microsoft Defender Firewall.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion
   technique: T1562
   subtechnique: 004
 operating_system: windows
 query: TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "state off"
 false_positives: null
 tags: null
@@ -0,0 +1,15 @@
 title: Disable IIS Logging
 description: Detects disabling of IIS logging.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion
   technique: T1562
   subtechnique: 002
 operating_system: windows
 query: TgtProcName = "appcmd.exe" AND TgtProcCmdLine ContainsCIS "/dontLog:true" AND
  TgtProcCmdLine ContainsCIS "/section:httplogging"
 false_positives: null
 tags: null
@@ -0,0 +1,16 @@
 title: T1562.001 Disable Microsoft Office Security Features
 description: Detects disabling of Microsoft Office Security features.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion
   technique: T1562
   subtechnique: 001
 operating_system: windows
 query: (RegistryKeyPath ContainsCIS "Excel\Security" OR RegistryKeyPath ContainsCIS
  "Excel\Security\ProtectedView") AND RegistryKeyPath In Contains Anycase ("VBAWarnings","DisableInternetFilesInPV","DisableUnsafeLocationsInPV","DisableAttachementsInPV")
  AND EventType In ("Registry Value Create","Registry Value Modified")
 false_positives: null
 tags: null
@@ -0,0 +1,15 @@
 title: Disable Sysmon
 description: Detection of disabling the Sysmon driver or service.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion
   technique: T1562
   subtechnique: 001
 operating_system: windows
 query: (TgtProcName = "fltmc.exe" AND TgtProcCmdLine ContainsCIS "unload SysmonDrv")
  OR (TgtProcName = "sysmon.exe" AND TgtProcCmdLine ContainsCIS "-u")
 false_positives: null
 tags: null
@@ -0,0 +1,15 @@
 title: DLL Search Order Hijacking
 description: Detection of common DLL search order hijacks.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion, Persistence, Privilege Escalation
   technique: T1574
   subtechnique: 001
 operating_system: windows
 query: (FileFullName ContainsCIS "amsi.dll" AND FileFullName Does Not ContainCIS "System32")
  AND EventType = "File Creation"
 false_positives: null
 tags: null
@@ -0,0 +1,16 @@
 title: DLL Side-Loading of Notepad++ GUP.exe
 description: Detection for GUP.exe side-loading a dll, where executable has a display
  name of "WinGup for Notepad++" and has non-standard source process. Keep an eye
  on Cross Process events.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion, Persistence, Privilege Escalation
   technique: T1574
   subtechnique: 002
 operating_system: windows
 query: TgtProcDisplayName ContainsCIS "WinGup" and SrcProcName Not In ("notepad++.exe","explorer.exe","lsass.exe","csrss.exe","svchost.exe","WerFault.exe")
 false_positives: null
 tags: null
@@ -0,0 +1,19 @@
 title: Enable Guest account with RDP and Admin
 description: Detects enabling of Guest account, adding Guest account to groups, as
  well as changing of Deny/Allow of Terminal Server connections through Registry changes.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Initial Access, Persistence, Privilege Escalation, Defense Evasion
   technique: T1078
   subtechnique: 001
 operating_system: windows
 query: (SrcProcCmdLine ContainsCIS "net localgroup" AND SrcProcCmdLine ContainsCIS
  "guest /add") OR (SrcProcCmdLine ContainsCIS "net user" AND SrcProcCmdLine ContainsCIS
  "/active:yes") OR (RegistryKeyPath In Contains ("Terminal Server\AllowTSConnections","Terminal
  Server\DenyTSConnections") AND EventType In ("Registry Value Create","Registry Value
  Modified"))
 false_positives: null
 tags: null
@@ -0,0 +1,16 @@
 title: Exchange Transport Agent Cmdlet Use
 description: Detection of Powershell TransportAgent Cmdlets being used to setup an
  Exchange Transport Agent.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Persistence
   technique: T1505
   subtechnique: 002
 operating_system: windows
 query: SrcProcCmdLine In Contains Anycase ("Install-TransportAgent","Enable-TransportAgent","Get-TransportAgent")
  OR SrcProcCmdScript In Contains Anycase ("Install-TransportAgent","Enable-TransportAgent","Get-TransportAgent")
 false_positives: null
 tags: null
@@ -0,0 +1,16 @@
 title: T1552.001 Findstr Password Extraction
 description: Detection of content exfiltration of passwords within files using findstr.exe
  or PowerShell's findstr.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Credential Access
   technique: T1552
   subtechnique: 006
 operating_system: windows
 query: TgtProcCmdLine ContainsCIS "/si pass" OR TgtProcCmdLine ContainsCIS "-pattern
  password"
 false_positives: null
 tags: null
@@ -0,0 +1,17 @@
 title: Group Policy Preference Cred Extraction
 description: Detection focuses on sysvol GP Policy xml file enumeration, with findstr
  or Get-GPPPassword (Alias or CmdScript internal match).
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Credential Access
   technique: T1552
   subtechnique: 006
 operating_system: windows
 query: TgtProcCmdline RegExp "^.*\/S cpassword.*\\sysvol\\.*.xml" OR TgtProcCmdline
  ContainsCIS "Get-GPPPassword" OR SrcProcCmdScript ContainsCIS "Get-ChildItem -Path
  \"\\$Server\SYSVOL\" -Recurse -ErrorAction SilentlyContinue -Include 'Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml','Printers.xml','Drives.xml'"
 false_positives: null
 tags: null
@@ -0,0 +1,17 @@
 title: Image File Execution Debugger
 description: Detections addition of a debugger process to executables using Image
  File Execution Options.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Privilege Escalation, Persistence
   technique: T1546
   subtechnique: 008
 operating_system: windows
 query: (RegistryKeyPath ContainsCIS "CurrentVersion\Image File Execution Options"
  AND RegistryKeyPath ContainsCIS ".exe\Debugger") AND (EventType = "Registry Value
  Create" OR EventType = "Registry Key Create")
 false_positives: null
 tags: null
@@ -0,0 +1,16 @@
 title: Image File Execution Options Injection
 description: Detection of Image File Execution Options tampering for persistence through
  Registry monitoring.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Privilege Escalation, Persistence
   technique: T1546
   subtechnique: 012
 operating_system: windows
 query: RegistryKeyPath In Contains Anycase ("CurrentVersion\Image File Execution Options","CurrentVersion\SilentProcessExit")
  AND RegistryKeyPath In Contains Anycase ("GlobalFlag","ReportingMode","MonitorProcess")
 false_positives: null
 tags: null
@@ -0,0 +1,18 @@
 title: Inhibit System Recovery
 description: Detects the use of vssadmin, wbadmin, bcdedit and powershell deletion
  of shadowcopy content and disabling of system recovery.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Impact
   technique: T1490
   subtechnique: null
 operating_system: windows
 query: TgtProcCmdLine In Contains Anycase ("delete shadows","shadowcopy delete","delete
  catalog","recoveryenabled no") OR (TgtProcCmdLine ContainsCIS "Win32_ShadowCopy"
  AND TgtProcCmdLine ContainsCIS "Delete()") OR (SrcProcCmdScript ContainsCIS "Win32_ShadowCopy"
  AND SrcProcCmdScript ContainsCIS "Delete()")
 false_positives: null
 tags: null
@@ -0,0 +1,22 @@
 title: Invoke-MalDoc
 description: This execution of macro code using Invoke-MalDoc triggers S1 T1027 Evasion
  Indicator, so we could RegEx on IndicatorMetadata but that'd have noise. The query
  should only be used for threat hunting, but it will detect Macro security settings
  changes to the registry for Word and Excel as well as detecting COM objects within
  ComandLine and CommandScript indicator objects. There may be a lot of results, focus
  on Indicators and Command Scripts objects as they'll have less false positives.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Initial Access
   technique: T1566
   subtechnique: 001
 operating_system: windows
 query: (RegistryPath In Contains ("Word\Security\AccessVBOM","Excel\Security\AccessVBOM")
  AND EventType In ("Registry Value Create","Registry Value Modified")) OR (SrcProcCmdLine
  In Contains Anycase ("ActiveVBProject.VBComponents","Word.Application","Excel.Application")
  OR SrcProcCmdScript In Contains Anycase ("ActiveVBProject.VBComponents","Word.Application","Excel.Application"))
 false_positives: null
 tags: null
@@ -0,0 +1,17 @@
 title: Kill Eventlog Service Threads
 description: Detection is specific to Invoke-Phant0m strings as the test uses it,
  and we're hoping to catch renamed and obfuscated versions by catching the TerminateThread
  call.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion
   technique: T1562
   subtechnique: 002
 operating_system: windows
 query: SrcProcCmdLine ContainsCIS "Invoke-Phant0m" OR SrcProcCmdScript ContainsCIS
  "$Kernel32::TerminateThread($getThread" OR SrcProcCmdScript ContainsCIS "Invoke-Phant0m"
 false_positives: null
 tags: null
@@ -0,0 +1,17 @@
 title: LaZagne Password Theft
 description: LaZagne happens to spawn 3 cmd shells to save security, system and sam
  RegKeys, and the standard compiled release from github will have the original name
  artifact of lazagne.exe.manifest within the %temp%_MEI?????\lazagne.exe.manifest
  location.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Credential Access
   technique: T1552
   subtechnique: 001
 operating_system: windows
 query: TgtProcCmdline Contains "reg.exe save hklm\s" OR TgtFilePath Contains "lazagne.exe.manifest"
 false_positives: null
 tags: null
@@ -0,0 +1,16 @@
 title: Local Account Added Windows
 description: Query below we'll query all instances of local accounts being created.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Persistence
   technique: T1136
   subtechnique: 001
 operating_system: windows
 query: SrcProcCmdLine In Contains Anycase ("net user /add","New-LocalUser")
  OR SrcProcCmdLine RegExp "\bdscl\b.*\b/\create\b" OR SrcProcCmdLine RegExp "\bnet
  localgroup administrators\b.*\b\/add\b"
 false_positives: General account maintenance.
 tags: null
@@ -0,0 +1,15 @@
 title: Logon Scripts Windows
 description: Detects addition of logon scripts through command line or registry methods.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Persistence
   technique: T1037
   subtechnique: 001
 operating_system: windows
 query: SrcProcCmdLine ContainsCIS "UserInitMprLogonScript" OR (RegistryKeyPath ContainsCIS
  "UserInitMprLogonScript" AND EventType = "Registry Value Create")
 false_positives: null
 tags: null
@@ -0,0 +1,15 @@
 title: T1003.004 LSA Secrets
 description: For simplicity, we're detecting a Cmdline used for both psexec (the test)
  as well as direct reg.exe LSA extraction.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Credential Access
   technique: T1003
   subtechnique: 004
 operating_system: windows
 query: TgtProcCmdLine ContainsCIS "save HKLM\security\policy\secrets"
 false_positives: null
 tags: null
@@ -0,0 +1,18 @@
 title: LSASS Memory Dumping
 description: Detection of wce by hash, procdump, comsvc, dumpert, mimikatz, pypykatz, and werfault all in one query.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Credential Access
   technique: T1003
   subtechnique: 001
 operating_system: windows
 query: TgtProcImageSha1 = "f0c52cea19c204f5cdbe952cc7cfc182e20d8d43" OR TgtProcCmdline
  ContainsCIS "-ma lsass.exe" OR TgtProcCmdline ContainsCIS "comsvcs.dll, MiniDump"
  OR TgtFilePath = "C:\Windows\Temp\dumpert.dmp" OR TgtFilePath RegExp "^.*lsass.*.DMP"
  OR (SrcProcCmdline ContainsCIS "sekurlsa::minidump" OR SrcProcCmdline ContainsCIS
  "sekurlsa::logonpasswords") OR SrcProcCmdline ContainsCIS "live lsa"
 false_positives: null
 tags: null
@@ -0,0 +1,18 @@
 title: Malicious Documents
 description: The tests for this technique overlap heavily with T1566.001 Spearphishing
  Attachment due to similar download and macro detections, so here we're focusing
  on detecting Office applications launching processes.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Execution
   technique: T1204
   subtechnique: 002
 operating_system: windows
 query: (SrcProcParentName In Contains ("WINWORD.EXE","EXCEL.EXE") AND SrcProcName
  In Contains Anycase ("cmd.exe","cscript.exe","wscript.exe","certutil.exe","powershell.exe","msbuild.exe","csc.exe"))
  OR IndicatorName = "SuspiciousDocument"
 false_positives: Legit docs with macros.
 tags: null
@@ -0,0 +1,18 @@
 title: Malicious Process Start Added to Powershell Profile
 description: Detects the addition of process execution strings (TgtProcCmdLine In
  Contains Anycase (list))to the powershell profile, through CommandLine and CommandScript
  indicators.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Privilege Escalation, Persistence
   technique: T1546
   subtechnique: 013
 operating_system: windows
 query: (SrcProcCmdScript ContainsCIS "Add-Content $profile -Value" AND SrcProcCmdScript
  ContainsCIS "Start-Process") OR (TgtProcCmdLine ContainsCIS "Add-Content $profile"
  AND TgtProcCmdLine In Contains Anycase ("Start-Process","& ","cmd.exe /c"))
 false_positives: null
 tags: null
@@ -0,0 +1,17 @@
 title: Modified SysInternals AccessChk Chrome password collector
 description: To focus on detection, we're looking for AccessChk.exe where the DisplayName
  does not match that of the original. There's 4X as many Cross_Process objects with
  this query but none detect the collection of the Chrome password db.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Credential Access
   technique: T1555
   subtechnique: 003
 operating_system: windows
 query: TgtProcName = "accesschk.exe" AND TgtProcDisplayName != "Reports effective
  permissions for securable objects"
 false_positives: null
 tags: null
@@ -0,0 +1,15 @@
 title: Windows Service Creation Modification
 description: Detects creation and modification of windows services through binPath
  argument to sc.exe.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Persistence
   technique: T1543
   subtechnique: 003
 operating_system: windows
 query: TgtProcName = "sc.exe" AND TgtProcCmdLine Contains "binPath="
 false_positives: null
 tags: null
@@ -0,0 +1,18 @@
 title: Mshta
 description: SentinelOne happens to be pretty good at detecting MSHTA attacks, and
  IndicatorName = "SuspiciousScript" specifically picks out these javascript based
  attacks very well. The below query will detect mshta.exe spawning processes as well
  as URLs for remote payloads to be loaded by mshta.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion
   technique: T1218
   subtechnique: 005
 operating_system: windows
 query: (SrcProcName = "mshta.exe" and EventType = "Open Remote Process Handle") OR
  (SrcProcName = "mshta.exe" AND SrcProcCmdLine RegExp "https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)")
 false_positives: null
 tags: null
@@ -0,0 +1,20 @@
 title: Msiexec Remote MSI
 description: The below query will accurately detect execution of remote msi files
  by msiexec.exe. The second half of the query aims to detect processes spawned by
  msi files instead of dll files in the CommandLine (as that is very noisy) and may
  return a bit of noise within for the CrossProcess Object as some auto-update processes
  may be collected by this query.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion
   technique: T1218
   subtechnique: 007
 operating_system: windows
 query: ( SrcProcName = "msiexec.exe" AND SrcProcCmdLine RegExp "https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)"
  ) OR (SrcProcName RegExp "^.*\.(tmp)" AND EventType = "Open Remote Process Handle"
  AND SrcProcParentName = "msiexec.exe")
 false_positives: null
 tags: null
@@ -0,0 +1,17 @@
 title: Netsh Helper DLL
 description: Detection of "helper" dlls with network command shell, through command
  arguments or registry modification.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Privilege Escalation, Persistence
   technique: T1546
   subtechnique: 007
 operating_system: windows
 query: (TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "add helper") OR
  (RegistryPath ContainsCIS "SOFTWARE\Microsoft\NetSh" AND EventType = "Registry Value
  Create")
 false_positives: null
 tags: null
@@ -0,0 +1,19 @@
 title: Non-Windows Control Panel Item
 description: The below query will find all cpl files outside standard directories
  and all cpl files executed outside of Windows directories. First portion of query
  may need to be dropped if there's too much noise in your environment.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion
   technique: T1218
   subtechnique: 002
 operating_system: windows
 query: (TgtFileExtension = "cpl" AND TgtFilePath Does Not ContainCIS "C:\Windows"
  AND TgtFilePath Does Not ContainCIS "C:\Program Files" AND TgtFilePath Does Not
  ContainCIS "C:\$WINDOWS.~BT") OR (SrcProcName = "control.exe" AND SrcProcCmdLine
  ContainsCIS ".cpl" AND SrcProcCmdLine Does Not ContainCIS "C:\Windows")
 false_positives: null
 tags: null
@@ -0,0 +1,18 @@
 title: NTDS Copy
 description: We won't bother detecting VSS copies being created, rather detecting
  credential file copies. NTDS.dit or SYSTEM whether a VSS copy or not.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Credential Access
   technique: T1003
   subtechnique: 003
 operating_system: windows
 query: SrcProcCmdline RegExp "^.*copy.*\\Windows\\NTDS\\NTDS.dit.*" OR SrcProcCmdline
  RegExp "^.*copy.*\\Windows\\System32\\config\\SYSTEM .*" OR SrcProcCmdline ContainsCIS
  "save HKLM\SYSTEM" OR (TgtProcName = "ntdsutil.exe" AND TgtProcCmdline ContainsCIS
  "ac i ntds") OR (TgtProcName = "mklink.exe" and  TgtProcCmdline RegExp "^.*\/[d,D].*GLOBALROOT\\Device\\HarddiskVolumeShadowCopy.*")
 false_positives: null
 tags: null
@@ -0,0 +1,15 @@
 title: Open Local Port on Defender Firewall
 description: Detection of opening of local ports within Defender Firewall.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion
   technique: T1562
   subtechnique: 004
 operating_system: windows
 query: TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "add rule" AND TgtProcCmdLine
  ContainsCIS "dir=in" AND TgtProcCmdLine ContainsCIS "localport="
 false_positives: null
 tags: null
@@ -0,0 +1,20 @@
 title: Parent PID Spoofing
 description: Detects parent PID spoofing through Cross Process indicators (SrcProcParentName
  limits scope heavily) as well as detecting the use of PPID-Spoof powershell script
  through Command Scripts indicators. Update the TgtProcName list to filter noise.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion, Privilege Escalation
   technique: T1134
   subtechnique: 004
 operating_system: windows
 query: (TgtProcRelation = "not_in_storyline" AND EventType = "Open Remote Process
  Handle" AND SrcProcParentName In Contains Anycase ("userinit.exe","powershell.exe","cmd.exe")
  AND TgtProcName != "sihost.exe" And TgtProcIntegrityLevel  != "LOW" AND TgtProcName
  Not In ("SystemSettings.exe")) OR (SrcProcCmdScript ContainsCIS "PPID-Spoof" AND
  SrcProcCmdScript ContainsCIS "hSpoofParent = [Kernel32]::OpenProcess")
 false_positives: null
 tags: null
@@ -0,0 +1,15 @@
 title: Pass the Hash & Pass the Ticket
 description: 'Detecting command line arguments of Mimikatz, so binary and powershell
  mimikatz will be detected assuming arguments haven''t been modified before deployment. '
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Lateral Movement
   technique: T1550
   subtechnique: null
 operating_system: windows
 query: TgtProcCmdLine In Contains Anycase ("sekurlsa::pth","/ntlm:","kerberos::ptt")
 false_positives: null
 tags: null
@@ -0,0 +1,17 @@
 title: PowerShell GUI Input Capture
 description: Focusing here on detecting the Powershell UI.PromptForCredential and
  GetNetworkCredential().Password in CmdScript or CmdLine.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Credential Access
   technique: T1056
   subtechnique: 002
 operating_system: windows
 query: (TgtProcCmdline ContainsCIS ".UI.PromptForCredential(" AND TgtProcCmdline ContainsCIS  ".GetNetworkCredential().Password")
  OR (SrcProcCmdScript ContainsCIS ".UI.PromptForCredential(" AND SrcProcCmdScript
  ContainsCIS  ".GetNetworkCredential().Password")
 false_positives: null
 tags: null
@@ -0,0 +1,15 @@
 title: PowerShell HTTP Form Submission
 description: Detection of powershell data POST and PUT with Invoke-WebRequest.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Exfiltration
   technique: T1020
   subtechnique: null
 operating_system: windows
 query: SrcProcCmdLine ContainsCIS "Invoke-WebRequest" AND (SrcProcCmdLine ContainsCIS
  "-Method Put" OR SrcProcCmdLine ContainsCIS "-Method Post")
 false_positives: PowerShell HTTP form submissions.
 tags: null
@@ -0,0 +1,15 @@
 title: Powershell Keylogging
 description: Detect Get-KeyStrokes invocation by alias or CmdScript line matching.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Credential Access
   technique: T1056
   subtechnique: 001
 operating_system: windows
 query: TgtProcCmdline ContainsCIS "Get-Keystrokes" OR SrcProcCmdScript ContainsCIS
  "user32.dll GetAsyncKeyState" OR SrcProcCmdScript ContainsCIS "[Windows.Forms.Keys][Runtime.InteropServices.Marshal]::ReadInt32("
 false_positives: null
 tags: null
@@ -0,0 +1,21 @@
 title: Powershell MalDoc
 description: This test merely uses Powershell to download a maldoc, the below query
  will find CommandLine or CommandScript downloads using multiple cradle methods as
  documented here by HarmJ0y https://gist.github.com/HarmJ0y/bb48307ffa663256e239.
  The below query should only be used for hunting purposes and covers most unobfuscated
  powershell cradles.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Initial Access
   technique: T1566
   subtechnique: 001
 operating_system: windows
 query: (SrcProcCmdLine In Contains Anycase ("Net.WebClient","(iwr","DownloadString(","WinHttp.WinHttpRequest","IEX
  (","InternetExplorer.Application","Msxml2.XMLHTTP","MSXML2.ServerXMLHTTP") OR SrcProcCmdScript
  In Contains Anycase ("Net.WebClient","(iwr","DownloadString(","WinHttp.WinHttpRequest","IEX
  (","InternetExplorer.Application","Msxml2.XMLHTTP","MSXML2.ServerXMLHTTP"))
 false_positives: null
 tags: null
@@ -0,0 +1,18 @@
 title: Process Hollowing
 description: Detect Process Hollowing using the Start-Hollow powershell script, through
  CommandLine and CommandScript indicators.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion, Privilege Escalation
   technique: T1055
   subtechnique: 012
 operating_system: windows
 query: '--- Detect Start-Hollow.ps1 by command or content
  (SrcProcCmdScript ContainsCIS "Start-Hollow" AND SrcProcCmdScript ContainsCIS "[Hollow]::NtQueryInformationProcess")
  OR TgtProcCmdLine ContainsCIS "Start-Hollow"'
 false_positives: null
 tags: null
@@ -0,0 +1,17 @@
 title: T1055 Process Injection
 description: Detects Process Injection through execution of MavInject, filtering out
  noisy/expected activity. SrcProcParentName filter narrows Cross Process items to
  HQ results.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion, Privilege Escalation
   technique: T1055
   subtechnique: null
 operating_system: windows
 query: (TgtProcName = "mavinject.exe" AND TgtProcCmdLine ContainsCIS "/injectrunning")
  AND (SrcProcName Not In ("AppVClient.exe") AND SrcProcParentName Not In ("smss.exe"))
 false_positives: null
 tags: null
@@ -0,0 +1,14 @@
 title: RDP Hijacking
 description: Detects RDS and RemoteApp session redirections for lateral movement.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Lateral Movement
   technique: T1563
   subtechnique: 002
 operating_system: windows
 query: SrcProcName = "tscon.exe" AND SrcProcCmdLine ContainsCIS "/dest:"
 false_positives: null
 tags: null
@@ -0,0 +1,17 @@
 title: Registry Credential Enumeration
 description: This query detects enumeration and discovery of credentials within the
  Registry, including Putty sessions.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Credential Access
   technique: T1552
   subtechnique: 002
 operating_system: windows
 query: TgtProcCmdline ContainsCIS "query HKLM /f password /t REG_SZ /s" OR TgtProcCmdline
  ContainsCIS "query HKCU /f password /t REG_SZ /s" OR TgtProcCmdline ContainsCIS
  "query HKCU\Software\SimonTatham\PuTTY\Sessions /t REG_SZ /s"
 false_positives: null
 tags: null
@@ -0,0 +1,15 @@
 title: Registry Run Keys
 description: Detecting on the addition of registry keys to Run, RunOnce, RunOnceEx keys where Parent Process isn't "trusted".
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Persistence
   technique: T1547
   subtechnique: 001
 operating_system: windows
 query: ( RegistryKeyPath ContainsCIS "Windows\CurrentVersion\Run" AND EventType =
  "Registry Key Create" ) AND SrcProcParentName Not In ("smss.exe","svchost.exe","SetupHost.exe","OneDriveSetup.exe","WindowsUpdateBox.exe")
 false_positives: null
 tags: null
@@ -0,0 +1,15 @@
 title: Remove AMSI Provider Reg Key
 description: Detection of removal of AMSI as system provider.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion
   technique: T1562
   subtechnique: 001
 operating_system: windows
 query: RegistryPath ContainsCIS "\Microsoft\AMSI\Providers" AND EventType In ("Registry
  Key Delete","Registry Value Delete")
 false_positives: null
 tags: null
@@ -0,0 +1,19 @@
 title: Scheduled Tasks Creation
 description: Our goal with this query is to detect any schtasks /create command as
  well as any use of the New-ScheduledTask* cmdlets from powershell, and to prevent
  noise from services and updates we'll exclude a list of system "trusted" SrcProcParentName
  executables.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Execution, Persistence
   technique: T1053
   subtechnique: 005
 operating_system: windows
 query: (( TgtProcName = "schtasks.exe" AND TgtProcCmdLine ContainsCIS "/create" )
  OR ( SrcProcCmdLine ContainsCIS "New-ScheduledTask" OR SrcProcCmdScript  ContainsCIS
  "New-ScheduledTask" )) AND SrcProcParentName Not In ("services.exe","OfficeClickToRun.exe")
 false_positives: null
 tags: null
@@ -0,0 +1,15 @@
 title: ScheduledTaskRegister
 description: Leveraging the ScheduleTaskRegister Indicator object for detection of
  registered tasks.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Persistence
   technique: T1053
   subtechnique: 005
 operating_system: windows
 query: IndicatorName = "ScheduleTaskRegister" AND SrcProcParentName Not In ("Integrator.exe","OfficeClickToRun.exe","services.exe","OneDriveSetup.exe","Ccm32BitLauncher.exe","WmiPrvSE.exe")
 false_positives: null
 tags: null
@@ -0,0 +1,16 @@
 title: Screensaver Change
 description: Detects malicious changes to screensaver through Registry changes, filtering
  expected processes.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Persistence, Privilege Escalation
   technique: T1546
   subtechnique: 002
 operating_system: windows
 query: RegistryKeyPath ContainsCIS "Control Panel\Desktop\SCRNSAVE.EXE" AND (EventType
  In ("Registry Value Create","Registry Value Modified") AND SrcProcName Not In ("svchost.exe","SetupHost.exe","CcmExec.exe"))
 false_positives: null
 tags: null
@@ -0,0 +1,15 @@
 title: Scripted Lateral RDP
 description: Query will catch use of cmdkey for authenticating RDP sessions (often used for automated lateral movement).
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Lateral Movement
   technique: T1021
   subtechnique: 001
 operating_system: windows
 query: TgtProcName = "cmdkey.exe" AND TgtProcCmdLine ContainsCIS "/generic:TERMSRV"
  AND TgtProcCmdLine ContainsCIS "/user:" AND TgtProcCmdLine ContainsCIS "/pass:"
 false_positives: null
 tags: null
@@ -0,0 +1,14 @@
 title: Secure Delete Data Destruction
 description: Detection of SDelete (by display name) and execution of DD command on *nix operating systems. Alternatively, DV 3.0 with 4.4 Agents will support TgtFileDeletionCount > "100" query for detection of over 100 files deleted, which can be combined with *FileType* for filtering.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Impact
   technique: T1485
   subtechnique: null
 operating_system: windows
 query: TgtProcDisplayName = "Secure file delete"
 false_positives: null
 tags: null
@@ -0,0 +1,18 @@
 title: Security Support Provider
 description: Detection of changes to Security Support Provider through Registry modification.
  Filters most standard system changes with SrcProcName Not In (list) but there will
  be some noise from installers.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Privilege Escalation, Persistence
   technique: T1547
   subtechnique: 005
 operating_system: windows
 query: RegistryKeyPath ContainsCIS "\Control\Lsa\Security Packages" AND (SrcProcName
  Not In ("services.exe","SetupHost.exe","svchost.exe") AND SrcProcCmdLine Does Not
  ContainCIS "system32\wsauth.dll")
 false_positives: null
 tags: null
@@ -0,0 +1,17 @@
 title: Service Disable
 description: Detecting the disabling of services through sc.exe, wmic, and powershell Set-Service cmdlet.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Impact
   technique: T1489
   subtechnique: null
 operating_system: windows
 query: (TgtProcName = "WMIC.exe" AND TgtProcCmdLine ContainsCIS "call ChangeStartmode
  Disabled") OR (TgtProcName = "sc.exe" AND TgtProcCmdLine ContainsCIS "disabled")
  OR (TgtProcCmdLine ContainsCIS "Set-Service" AND TgtProcCmdLine ContainsCIS "-StartupType
  Disabled")
 false_positives: Manual service toggling.
 tags: null
@@ -0,0 +1,15 @@
 title: Service Starting
 description: Detection of sc.exe start or start-service.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Execution
   technique: T1569
   subtechnique: 002
 operating_system: windows
 query: (( SrcProcName = "sc.exe" AND SrcProcCmdLine ContainsCIS "create" ) OR SrcProcCmdLine
  ContainsCIS "Start-Service" ) AND SrcProcParentName != "services.exe"
 false_positives: Manual service actions.
 tags: null
@@ -0,0 +1,15 @@
 title: Startup Folder
 description: Detect any vbs, jse or bat files being written to any Programs\StartUp folder, be that ProgramData or AppData locations.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Persistence
   technique: T1547
   subtechnique: 001
 operating_system: windows
 query: FileFullName ContainsCIS "Programs\Startup" AND FileType In Contains Anycase
  ("vbs","jse","bat") AND EventType = "File Creation"
 false_positives: null
 tags: null
@@ -0,0 +1,16 @@
 title: Startup Shortcuts
 description: Detection .lnk or .url files written to Startup folders.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Privilege Escalation, Persistence
   technique: T1547
   subtechnique: 009
 operating_system: windows
 query: (FileFullName ContainsCIS "Microsoft\Windows\Start Menu\Programs\Startup" AND
  TgtFileExtension In Contains ("lnk","url") AND EventType = "File Creation") AND
  SrcProcName Not In ("ONENOTE.EXE","msiexec.exe")
 false_positives: Some application installs.
 tags: null
@@ -0,0 +1,16 @@
 title: Unquoted Service Path for program.exe
 description: Detects creation or modification of the file at C:\program.exe for exploiting
  unquoted services paths of Program Files folder.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion, Persistence, Privilege Escalation
   technique: T1574
   subtechnique: 009
 operating_system: windows
 query: (FileFullName = "C:\program.exe" AND EventType In ("File Creation","File Modification"))
  OR TgtProcImagePath = "C:\program.exe"
 false_positives: null
 tags: null
@@ -0,0 +1,14 @@
 title: Visual Basic Execution From Temp
 description: Detect execution of vbs files from any Temp\ directory to be more useful.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Execution
   technique: T1059
   subtechnique: 005
 operating_system: windows
 query: SrcProcName = "cscript.exe" AND SrcProcCmdLine RegExp "\bTemp\b.*\.(vbs)"
 false_positives: null
 tags: null
@@ -0,0 +1,17 @@
 title: Web Shell Creation
 description: Generic web shell detection with filtering of possibly trusted sources
  of noise.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Persistence
   technique: T1505
   subtechnique: 003
 operating_system: windows
 query: EventType = "File Creation" AND FileFullName ContainsCIS "inetpub\wwwroot"
  AND TgtFileExtension In Contains Anycase ("jsp","aspx","php") AND SrcProcName Not
  In ("explorer.exe","msdeploy.exe")
 false_positives: null
 tags: null
@@ -0,0 +1,15 @@
 title: Windows Command Shell
 description: Query for bat files executed from temp directories where SrcProcParentName isn't an executable we want to filter.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Execution
   technique: T1059
   subtechnique: 003
 operating_system: windows
 query: (SrcProcName = "cmd.exe" AND FileFullName ContainsCIS "\Temp" AND FileType
  = "bat") AND SrcProcParentName Not In ("msiexec.exe")
 false_positives: null
 tags: null
@@ -0,0 +1,14 @@
 title: Windows Logon Scripts
 description: Detects addition of logon scripts through command line or registry methods.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Privilege Escalation
   technique: T1037
   subtechnique: 001
 operating_system: windows
 query: SrcProcCmdLine ContainsCIS "UserInitMprLogonScript" OR (RegistryKeyPath ContainsCIS
  "UserInitMprLogonScript" AND EventType = "Registry Value Create")
 false_positives: null
 tags: null
@@ -0,0 +1,17 @@
 title: Windows Management Instrumentation
 description: Detection query has been limited to wmic.exe, and focuses on discovery and execution
  commandlines.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Execution
   technique: T1047
   subtechnique: null
 operating_system: windows
 query: ( SrcProcName = "WMIC.exe" AND SrcProcCmdLine In Contains Anycase ("useraccount
  get","process get","qfe get","service where","process call","call create") ) AND
  SrcProcParentName Not In ("msiexec.exe")
 false_positives: null
 tags: null
@@ -0,0 +1,16 @@
 title: Windows Management Instrumentation Event Subscription
 description: Detect WMI Event Subs using the New-CimInstance cmdlet, through CommandLine
  and CommandScript indicators.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Privilege Escalation, Persistence
   technique: T1546
   subtechnique: 003
 operating_system: windows
 query: SrcProcCmdLine ContainsCIS "New-CimInstance -Namespace root/subscription" OR
  SrcProcCmdScript ContainsCIS "New-CimInstance -Namespace root/subscription"
 false_positives: null
 tags: null
@@ -0,0 +1,22 @@
 title: Windows Remote Management
 description: The below query (in order) remote process executions through MMC, WMIC,
  and PsExec (by name or display name). Also of note, there are only 3 tests documented
  for this Atomic, yet there are 6 tests, so the below query focuses on detectability.
  PsExec detection may have a lot of noise depending on your environment, and may
  require additional filtering.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Lateral Movement
   technique: T1021
   subtechnique: 006
 operating_system: windows
 query: (TgtProcCmdLine ContainsCIS "GetTypeFromProgID(" AND TgtProcCmdLine ContainsCIS
  "MMC20.application" AND TgtProcCmdLine ContainsCIS ".Document.ActiveView.ExecuteShellCommand(")
  OR (TgtProcName = "wmic.exe" AND TgtProcCmdLine ContainsCIS "/node:" AND TgtProcCmdLine
  ContainsCIS "process call create") OR ((SrcProcName ContainsCIS "psexec.exe" OR
  SrcProcDisplayName = "Execute processes remotely") AND DstIp Is Not Empty)
 false_positives: null
 tags: null
@@ -0,0 +1,15 @@
 title: Windows Service Creation
 description: Detects creation and modification of windows services through binPath
  argument to sc.exe.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Privilege Escalation
   technique: T1543
   subtechnique: 003
 operating_system: windows
 query: TgtProcName = "sc.exe" AND TgtProcCmdLine Contains "binPath="
 false_positives: null
 tags: null
@@ -0,0 +1,15 @@
 title: Windows Share Creation
 description: Detecting the creation and use of Windows shares, may catch a lot of legitimate activity.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Lateral Movement
   technique: T1021
   subtechnique: 002
 operating_system: windows
 query: TgtProcCmdLine ContainsCIS "New-PSDrive" OR (TgtProcName = "net.exe" AND TgtProcCmdLine
  ContainsCIS "use ")
 false_positives: Share creations.
 tags: null
@@ -0,0 +1,18 @@
 title: Winlogon Helper DLL
 description: Detects Winlogon Helper Dll changes through Registry MetadataIndicator
  item, as it holds the full registry change info but will only return data of the
  Indicators object type.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Privilege Escalation, Persistence
   technique: T1547
   subtechnique: 004
 operating_system: windows
 query: IndicatorMetadata In Contains Anycase ("Microsoft\Windows NT\CurrentVersion\Winlogon","Microsoft\Windows
  NT\CurrentVersion\Winlogon\Notify") AND IndicatorMetadata In Contains Anycase ("logon","Userinit","Shell")
  AND IndicatorMetadata Does Not ContainCIS "WINDOWS\system32\userinit.exe"
 false_positives: null
 tags: null