auto-generated queries from markdown notes

2026-06-11 10:21:20 +00:00 · 2020-11-23 12:08:31 -06:00
parent a3c07c2199
commit 7c09d914d1
85 changed files with 1414 additions and 0 deletions
@@ -0,0 +1,14 @@
+title: DD Data Destruction
+description: Detection of data destruction with the DD command on *nix operating systems. Alternatively, DV 3.0 with 4.4 Agents will support TgtFileDeletionCount > "100" query for detection of over 100 files deleted, which can be combined with *FileType* for filtering.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Impact
+   technique: T1485
+   subtechnique: null
+operating_system: linux
+query: AgentOS In ("linux","osx") AND TgtProcName = "dd" AND TgtProcCmdLine ContainsCIS "of="
+false_positives: null
+tags: null
+
@@ -0,0 +1,15 @@
+title: Disable Syslog
+description: Detect disabling of Linux Syslog service.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion
+   technique: T1562
+   subtechnique: null
+operating_system: linux
+query: TgtProcName In Contains ("service","chkconfig","systemctl") AND TgtProcCmdLine
+  In Contains ("rsyslog stop","off rsyslog","stop rsyslog","disable rsyslog")
+false_positives: null
+tags: null
+
@@ -0,0 +1,16 @@
+title: Disabling Linux Firewall
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+description: Detection of Linux firewall being disabled.
+mitre:
+   tactic: Defense Evasion
+   technique: T1562
+   subtechnique: null
+operating_system: linux
+query: (SrcProcName In Contains ("service","chkconfig") AND SrcProcCmdLine In Contains
+  ("off","stop") AND SrcProcCmdLine ContainsCIS "tables") OR (TgtProcName = "systemctl"
+  AND TgtProcCmdLine In Contains ("stop","disable") AND TgtProcCmdLine Contains "firewalld")
+false_positives: null
+tags: null
+
@@ -0,0 +1,14 @@
+title: Local Account Added Linux
+description: Query all instances of local accounts being Linux and OSX.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Persistence
+   technique: T1136
+   subtechnique: null
+operating_system: linux
+query: SrcProcCmdLine In Contains Anycase ("useradd")
+false_positives: General account maintenance.
+tags: null
+
@@ -0,0 +1,18 @@
+title: Account Access Removal
+description: Detects the deletion of a local user account or removal of Active Directory
+  groups through powershell cmdlets. No detection for account password resets for
+  purpose of impact due to false detections.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Impact
+   technique: T1531
+   subtechnique: null
+operating_system: windows
+query: SrcProcCmdline RegExp "net\s+user(?:(?!\s+/delete)(?:.|\n))*\s+/delete" OR
+  TgtProcCmdLine  ContainsCIS "Remove-ADGroupMember" OR SrcProcCmdScript ContainsCIS
+  "Remove-ADGroupMember"
+false_positives: null
+tags: null
+
@@ -0,0 +1,22 @@
+title: Account Manipulation
+description: Both Atomic tests for account manipulation rely on PowerShell AD module,
+  so we can catch both with one query. We have the query encapsulated so that we can
+  filter it at the end by Parent Process, as some Logon Scripts and Configuration
+  Items (SCOM, SCCM) may also cause noise. You may want to additionally filter out
+  certain SrcProcUser to reduce noise. What cannot be helped, CommandScript detection
+  on import of Powershell AD cmdlets.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Persistence
+   technique: T1098
+   subtechnique: null
+operating_system: windows
+query: ( SrcProcCmdLine In Contains Anycase ("New-ADUser","Rename-LocalUser","Set-LocalUser")
+  OR SrcProcCmdScript In Contains Anycase ("New-ADUser","Rename-LocalUser","Set-LocalUser")
+  OR SrcProcCmdLine RegExp "\bAdd-ADGroupMember\b.*\bDomain Admins\b" OR SrcProcCmdScript
+  RegExp "\bAdd-ADGroupMember\b.*\bDomain Admins\b" ) AND SrcProcParentName Not In
+  ("WmiPrvSE.exe","AppVClient.exe","svchost.exe","CompatTelRunner.exe")
+false_positives: null
+tags: null
@@ -0,0 +1,15 @@
+title: Allow Executable Through Defender Firewall
+author: keyboardcrunch
+description: Detect allowance of executables through Defender Firewall.
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion
+   technique: T1562
+   subtechnique: 002
+operating_system: windows
+query: TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "add rule" AND TgtProcCmdLine
+  ContainsCIS "program=" AND TgtProcCmdLine In Contains Anycase ("C:\Users","C:\Windows\Temp")
+false_positives: null
+tags: null
+
@@ -0,0 +1,16 @@
+title: Allow SMB and RDP on Defender Firewall
+description: Detects addition of Defender firewall rules for SMB and RDP.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion
+   technique: T1562
+   subtechnique: 002
+operating_system: windows
+query: (TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "remote desktop"
+  AND TgtProcCmdLine ContainsCIS "enable=Yes") OR (TgtProcName = "netsh.exe" AND TgtProcCmdLine
+  ContainsCIS "file and printer sharing" AND TgtProcCmdLine ContainsCIS "enable=Yes")
+false_positives: null
+tags: null
+
@@ -0,0 +1,15 @@
+title: AMSI Bypass Through InitFailed
+description: Detects AMSI bypass through InitFailed.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion
+   technique: T1562
+   subtechnique: 001
+operating_system: windows
+query: TgtProcCmdLine ContainsCIS "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)"
+  OR SrcProcCmdScript ContainsCIS "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)"
+false_positives: null
+tags: null
+
@@ -0,0 +1,15 @@
+title: Application Shimming
+description: Detects application shimming through sdbinst or registry modification.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Privilege Escalation, Persistence
+   technique: T1546
+   subtechnique: 008
+operating_system: windows
+query: (SrcProcName = "sdbinst.exe" and ProcessCmd ContainsCIS ".sdb") OR ((RegistryKeyPath
+  ContainsCIS "AppInit_DLLs" OR RegistryPath  ContainsCIS "AppCompatFlags") AND (EventType
+  = "Registry Value Create" OR EventType = "Registry Value Modified"))
+false_positives: null
+tags: null
@@ -0,0 +1,16 @@
+title: Assoc Default File Change
+description: Detection of file association change through assoc command.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Privilege Escalation
+   technique: T1546
+   subtechnique: 008
+operating_system: windows
+query: '--- File assoc change by assoc command
+
+  TgtProcCmdLine ContainsCIS "assoc" and TgtProcCmdLine RegExp ".*=.*"'
+false_positives: null
+tags: null
+
@@ -0,0 +1,14 @@
+title: AT Scheduled Task
+description: Detect interactive process execution scheduled by AT command.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Execution, Persistence, Privilege Escalation
+   technique: T1053
+   subtechnique: 002
+operating_system: windows
+query: TgtProcName = "at.exe" AND TgtProcCmdLine ContainsCIS "/interactive "
+false_positives: null
+tags: null
+
@@ -0,0 +1,20 @@
+title: BITS Jobs
+description: The below query will find and remote content downloads from DesktopImgDownldr
+  or BitsAdmin processes, Start-BitsTransfer cmdlet downloads, and excludes system
+  processes and noise with SrcProcParentName Not In ().
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion, Persistence
+   technique: T1197
+   subtechnique: null
+operating_system: windows
+query: (( TgtProcName In Contains Anycase ("bitsadmin.exe","desktopimgdownldr.exe")
+  AND ( TgtProcCmdLine RegExp "https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)"
+  OR TgtProcCmdLine ContainsCIS "/setnotifycmdline " ) ) OR ( TgtProcName = "powershell.exe"
+  AND TgtProcCmdLine ContainsCIS "Start-BitsTransfer" ) ) AND SrcProcParentName Not
+  In ("services.exe","smss.exe","wininit.exe")
+false_positives: null
+tags: null
+
@@ -0,0 +1,17 @@
+title: Browser Extension Installation
+description: This query takes a lazy approach to detecting the staging of xpi or crx
+  extension packages for installation within Chrome and Firefox based browsers. Unsure
+  how to filter our extension updates without excluding too much.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Persistence
+   technique: T1176
+   subtechnique: null
+operating_system: windows
+query: ( FileFullName RegExp "\bWebstore Downloads\b.*\.(crx)$" OR FileFullName RegExp
+  "\bstaged\b.*\.(xpi)$" ) AND EventType = "File Creation"
+false_positives: null
+tags: null
+
@@ -0,0 +1,20 @@
+title: T1548.002 Bypass User Access Control
+description: Detection of UAC bypass through tampering with Shell Open for .ms-settings
+  or .msc file types. Beyond this Atomic test, and to further UAC bypass detection,
+  the below query includes detection for CMSTPLUA COM interface abuse by GUID. Noted
+  issues with Sentinel Agent 4.3.2.86 detecting by registry key. All registry key
+  paths were ControlSet001\Service\bam\State\UserSettings\GUID...
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion, Privilege Escalation
+   technique: T1548
+   subtechnique: 008
+operating_system: windows
+query: (SrcProcCmdLine ContainsCIS "ms-settings\shell\open\command" OR SrcProcCmdLine
+  ContainsCIS "mscfile\shell\open\command") OR (TgtProcDisplayName = "COM Surrogate"
+  AND TgtProcCmdLine ContainsCIS "{3E5FC7F9-9A51-4367-9063-A120244FBEC7}")
+false_positives: null
+tags: null
+
@@ -0,0 +1,19 @@
+title: Change Shell Open RegKeys
+description: Detection of file association changes. Detection by registry is noisy
+  due to problem filtering on registry root, so install/uninstall apps create noise.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Persistence
+   technique: T1546
+   subtechnique: 008
+operating_system: windows
+query: '--- File assoc change by registry
+
+  RegistryKeyPath In Contains Anycase ( "\shell\open\command" , "\shell\print\command"
+  , "\shell\printto\command" ) AND EventType In ( "Registry Value Create" , "Registry
+  Value Modified" )'
+false_positives: null
+tags: null
+
@@ -0,0 +1,19 @@
+title: Clear Windows Event Logs
+description: Detects the clearing of EventLogs through wevtutil (concise) as well
+  as Clear-EventLog through CommandLine and CommandScript objects. Powershell cmdlet
+  detection returns a lot of noise for the CommandScripts object, so filtering out
+  SrcProcParentName may be required.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion
+   technique: T1070
+   subtechnique: 001
+operating_system: windows
+query: (TgtProcName  = "wevtutil.exe" AND TgtProcCmdLine ContainsCIS "cl ") OR ((SrcProcCmdLine
+  ContainsCIS "Clear-EventLog" OR SrcProcCmdScript ContainsCIS "Clear-EventLog") AND
+  SrcProcParentName Not In ("WmiPrvSE.exe","PFERemediation.exe","svchost.exe"))
+false_positives: null
+tags: null
+
@@ -0,0 +1,16 @@
+title: CMSTP
+description: CMSTP is rarely used within my environment, so the below detection has
+  low false positives without filtering, though you may want to limit query to inf
+  files located in personal/writeable directories.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion
+   technique: T1218
+   subtechnique: 003
+operating_system: windows
+query: SrcProcName = "cmstp.exe" AND SrcProcCmdLine RegExp "^.*\.(inf)"
+false_positives: null
+tags: null
+
@@ -0,0 +1,18 @@
+title: Compile After Delivery
+description: Both Atomic tests for this technique leverage csc.exe for compilation
+  of code. The below will detect specific compilation of executables as well as dynamic
+  compilation through detection of csc.exe creating executable files (both dll and
+  exe). Filter noise from later portion of query using SrcProcParentName Not In ().
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion
+   technique: T1027
+   subtechnique: 004
+operating_system: windows
+query: (TgtProcName = "csc.exe" AND SrcProcCmdLine Contains "/target:exe") OR (SrcProcName  =
+  "csc.exe" AND TgtFileIsExecutable = "true" AND SrcProcParentName Not In ("svchost.exe"))
+false_positives: null
+tags: null
+
@@ -0,0 +1,17 @@
+title: Compiled HTML File
+description: Breaking down the below query, the first section will detect Atomic Test
+  1 where a malicious chm file spawns a process, whereas the second half of the query
+  detects hh.exe loading a remote payloads.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion
+   technique: T1218
+   subtechnique: 001
+operating_system: windows
+query: (SrcProcName = "hh.exe" AND EventType = "Open Remote Process Handle") OR (SrcProcName
+  = "hh.exe" AND SrcProcCmdLine RegExp "https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)")
+false_positives: null
+tags: null
+
@@ -0,0 +1,16 @@
+title: COR Profiler
+description: Detection of unmanaged COR profiler hooking of .NET CLR through registry
+  or process command.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion, Persistence, Privilege Escalation
+   technique: T1574
+   subtechnique: 012
+operating_system: windows
+query: (SrcProcCmdScript Contains "COR_" AND SrcProcCmdScript Contains "\Environment")
+  OR RegistryKeyPath Contains "COR_PROFILER_PATH" OR SrcProcCmdScript Contains "$env:COR_"
+false_positives: null
+tags: null
+
@@ -0,0 +1,19 @@
+title: Deobfuscate or Decode Files
+description: This Atomic tests detections of certutil encoding and decoding of executables,
+  and the replication of certutil for bypassing detection of executable encoding.
+  Our query below will detected renamed certutil through matching of DisplayName,
+  as well as encoding or decoding of exe files.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion
+   technique: T1140
+   subtechnique: null
+operating_system: windows
+query: (TgtProcName != "certutil.exe" AND TgtProcDisplayName = "CertUtil.exe") OR
+  ( TgtProcDisplayName = "CertUtil.exe" AND (TgtProcCmdLine RegExp "^.*(-decode).*\.(exe)"
+  OR TgtProcCmdLine RegExp "^.*(-encode).*\.(exe)") )
+false_positives: null
+tags: null
+
@@ -0,0 +1,14 @@
+title: Disable Defender Firewall
+description: Detection on disabling Microsoft Defender Firewall.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion
+   technique: T1562
+   subtechnique: 004
+operating_system: windows
+query: TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "state off"
+false_positives: null
+tags: null
+
@@ -0,0 +1,15 @@
+title: Disable IIS Logging
+description: Detects disabling of IIS logging.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion
+   technique: T1562
+   subtechnique: 002
+operating_system: windows
+query: TgtProcName = "appcmd.exe" AND TgtProcCmdLine ContainsCIS "/dontLog:true" AND
+  TgtProcCmdLine ContainsCIS "/section:httplogging"
+false_positives: null
+tags: null
+
@@ -0,0 +1,16 @@
+title: T1562.001 Disable Microsoft Office Security Features
+description: Detects disabling of Microsoft Office Security features.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion
+   technique: T1562
+   subtechnique: 001
+operating_system: windows
+query: (RegistryKeyPath ContainsCIS "Excel\Security" OR RegistryKeyPath ContainsCIS
+  "Excel\Security\ProtectedView") AND RegistryKeyPath In Contains Anycase ("VBAWarnings","DisableInternetFilesInPV","DisableUnsafeLocationsInPV","DisableAttachementsInPV")
+  AND EventType In ("Registry Value Create","Registry Value Modified")
+false_positives: null
+tags: null
+
@@ -0,0 +1,15 @@
+title: Disable Sysmon
+description: Detection of disabling the Sysmon driver or service.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion
+   technique: T1562
+   subtechnique: 001
+operating_system: windows
+query: (TgtProcName = "fltmc.exe" AND TgtProcCmdLine ContainsCIS "unload SysmonDrv")
+  OR (TgtProcName = "sysmon.exe" AND TgtProcCmdLine ContainsCIS "-u")
+false_positives: null
+tags: null
+
@@ -0,0 +1,15 @@
+title: DLL Search Order Hijacking
+description: Detection of common DLL search order hijacks.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion, Persistence, Privilege Escalation
+   technique: T1574
+   subtechnique: 001
+operating_system: windows
+query: (FileFullName ContainsCIS "amsi.dll" AND FileFullName Does Not ContainCIS "System32")
+  AND EventType = "File Creation"
+false_positives: null
+tags: null
+
@@ -0,0 +1,16 @@
+title: DLL Side-Loading of Notepad++ GUP.exe
+description: Detection for GUP.exe side-loading a dll, where executable has a display
+  name of "WinGup for Notepad++" and has non-standard source process. Keep an eye
+  on Cross Process events.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion, Persistence, Privilege Escalation
+   technique: T1574
+   subtechnique: 002
+operating_system: windows
+query: TgtProcDisplayName ContainsCIS "WinGup" and SrcProcName Not In ("notepad++.exe","explorer.exe","lsass.exe","csrss.exe","svchost.exe","WerFault.exe")
+false_positives: null
+tags: null
+
@@ -0,0 +1,19 @@
+title: Enable Guest account with RDP and Admin
+description: Detects enabling of Guest account, adding Guest account to groups, as
+  well as changing of Deny/Allow of Terminal Server connections through Registry changes.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Initial Access, Persistence, Privilege Escalation, Defense Evasion
+   technique: T1078
+   subtechnique: 001
+operating_system: windows
+query: (SrcProcCmdLine ContainsCIS "net localgroup" AND SrcProcCmdLine ContainsCIS
+  "guest /add") OR (SrcProcCmdLine ContainsCIS "net user" AND SrcProcCmdLine ContainsCIS
+  "/active:yes") OR (RegistryKeyPath In Contains ("Terminal Server\AllowTSConnections","Terminal
+  Server\DenyTSConnections") AND EventType In ("Registry Value Create","Registry Value
+  Modified"))
+false_positives: null
+tags: null
+
@@ -0,0 +1,16 @@
+title: Exchange Transport Agent Cmdlet Use
+description: Detection of Powershell TransportAgent Cmdlets being used to setup an
+  Exchange Transport Agent.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Persistence
+   technique: T1505
+   subtechnique: 002
+operating_system: windows
+query: SrcProcCmdLine In Contains Anycase ("Install-TransportAgent","Enable-TransportAgent","Get-TransportAgent")
+  OR SrcProcCmdScript In Contains Anycase ("Install-TransportAgent","Enable-TransportAgent","Get-TransportAgent")
+false_positives: null
+tags: null
+
@@ -0,0 +1,16 @@
+title: T1552.001 Findstr Password Extraction
+description: Detection of content exfiltration of passwords within files using findstr.exe
+  or PowerShell's findstr.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Credential Access
+   technique: T1552
+   subtechnique: 006
+operating_system: windows
+query: TgtProcCmdLine ContainsCIS "/si pass" OR TgtProcCmdLine ContainsCIS "-pattern
+  password"
+false_positives: null
+tags: null
+
@@ -0,0 +1,17 @@
+title: Group Policy Preference Cred Extraction
+description: Detection focuses on sysvol GP Policy xml file enumeration, with findstr
+  or Get-GPPPassword (Alias or CmdScript internal match).
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Credential Access
+   technique: T1552
+   subtechnique: 006
+operating_system: windows
+query: TgtProcCmdline RegExp "^.*\/S cpassword.*\\sysvol\\.*.xml" OR TgtProcCmdline
+  ContainsCIS "Get-GPPPassword" OR SrcProcCmdScript ContainsCIS "Get-ChildItem -Path
+  \"\\$Server\SYSVOL\" -Recurse -ErrorAction SilentlyContinue -Include 'Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml','Printers.xml','Drives.xml'"
+false_positives: null
+tags: null
+
@@ -0,0 +1,17 @@
+title: Image File Execution Debugger
+description: Detections addition of a debugger process to executables using Image
+  File Execution Options.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Privilege Escalation, Persistence
+   technique: T1546
+   subtechnique: 008
+operating_system: windows
+query: (RegistryKeyPath ContainsCIS "CurrentVersion\Image File Execution Options"
+  AND RegistryKeyPath ContainsCIS ".exe\Debugger") AND (EventType = "Registry Value
+  Create" OR EventType = "Registry Key Create")
+false_positives: null
+tags: null
+
@@ -0,0 +1,16 @@
+title: Image File Execution Options Injection
+description: Detection of Image File Execution Options tampering for persistence through
+  Registry monitoring.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Privilege Escalation, Persistence
+   technique: T1546
+   subtechnique: 012
+operating_system: windows
+query: RegistryKeyPath In Contains Anycase ("CurrentVersion\Image File Execution Options","CurrentVersion\SilentProcessExit")
+  AND RegistryKeyPath In Contains Anycase ("GlobalFlag","ReportingMode","MonitorProcess")
+false_positives: null
+tags: null
+
@@ -0,0 +1,18 @@
+title: Inhibit System Recovery
+description: Detects the use of vssadmin, wbadmin, bcdedit and powershell deletion
+  of shadowcopy content and disabling of system recovery.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Impact
+   technique: T1490
+   subtechnique: null
+operating_system: windows
+query: TgtProcCmdLine In Contains Anycase ("delete shadows","shadowcopy delete","delete
+  catalog","recoveryenabled no") OR (TgtProcCmdLine ContainsCIS "Win32_ShadowCopy"
+  AND TgtProcCmdLine ContainsCIS "Delete()") OR (SrcProcCmdScript ContainsCIS "Win32_ShadowCopy"
+  AND SrcProcCmdScript ContainsCIS "Delete()")
+false_positives: null
+tags: null
+
@@ -0,0 +1,22 @@
+title: Invoke-MalDoc
+description: This execution of macro code using Invoke-MalDoc triggers S1 T1027 Evasion
+  Indicator, so we could RegEx on IndicatorMetadata but that'd have noise. The query
+  should only be used for threat hunting, but it will detect Macro security settings
+  changes to the registry for Word and Excel as well as detecting COM objects within
+  ComandLine and CommandScript indicator objects. There may be a lot of results, focus
+  on Indicators and Command Scripts objects as they'll have less false positives.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Initial Access
+   technique: T1566
+   subtechnique: 001
+operating_system: windows
+query: (RegistryPath In Contains ("Word\Security\AccessVBOM","Excel\Security\AccessVBOM")
+  AND EventType In ("Registry Value Create","Registry Value Modified")) OR (SrcProcCmdLine
+  In Contains Anycase ("ActiveVBProject.VBComponents","Word.Application","Excel.Application")
+  OR SrcProcCmdScript In Contains Anycase ("ActiveVBProject.VBComponents","Word.Application","Excel.Application"))
+false_positives: null
+tags: null
+
@@ -0,0 +1,17 @@
+title: Kill Eventlog Service Threads
+description: Detection is specific to Invoke-Phant0m strings as the test uses it,
+  and we're hoping to catch renamed and obfuscated versions by catching the TerminateThread
+  call.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion
+   technique: T1562
+   subtechnique: 002
+operating_system: windows
+query: SrcProcCmdLine ContainsCIS "Invoke-Phant0m" OR SrcProcCmdScript ContainsCIS
+  "$Kernel32::TerminateThread($getThread" OR SrcProcCmdScript ContainsCIS "Invoke-Phant0m"
+false_positives: null
+tags: null
+
@@ -0,0 +1,17 @@
+title: LaZagne Password Theft
+description: LaZagne happens to spawn 3 cmd shells to save security, system and sam
+  RegKeys, and the standard compiled release from github will have the original name
+  artifact of lazagne.exe.manifest within the %temp%_MEI?????\lazagne.exe.manifest
+  location.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Credential Access
+   technique: T1552
+   subtechnique: 001
+operating_system: windows
+query: TgtProcCmdline Contains "reg.exe save hklm\s" OR TgtFilePath Contains "lazagne.exe.manifest"
+false_positives: null
+tags: null
+
@@ -0,0 +1,16 @@
+title: Local Account Added Windows
+description: Query below we'll query all instances of local accounts being created.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Persistence
+   technique: T1136
+   subtechnique: 001
+operating_system: windows
+query: SrcProcCmdLine In Contains Anycase ("net user /add","New-LocalUser")
+  OR SrcProcCmdLine RegExp "\bdscl\b.*\b/\create\b" OR SrcProcCmdLine RegExp "\bnet
+  localgroup administrators\b.*\b\/add\b"
+false_positives: General account maintenance.
+tags: null
+
@@ -0,0 +1,15 @@
+title: Logon Scripts Windows
+description: Detects addition of logon scripts through command line or registry methods.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Persistence
+   technique: T1037
+   subtechnique: 001
+operating_system: windows
+query: SrcProcCmdLine ContainsCIS "UserInitMprLogonScript" OR (RegistryKeyPath ContainsCIS
+  "UserInitMprLogonScript" AND EventType = "Registry Value Create")
+false_positives: null
+tags: null
+
@@ -0,0 +1,15 @@
+title: T1003.004 LSA Secrets
+description: For simplicity, we're detecting a Cmdline used for both psexec (the test)
+  as well as direct reg.exe LSA extraction.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Credential Access
+   technique: T1003
+   subtechnique: 004
+operating_system: windows
+query: TgtProcCmdLine ContainsCIS "save HKLM\security\policy\secrets"
+false_positives: null
+tags: null
+
@@ -0,0 +1,18 @@
+title: LSASS Memory Dumping
+description: Detection of wce by hash, procdump, comsvc, dumpert, mimikatz, pypykatz, and werfault all in one query.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Credential Access
+   technique: T1003
+   subtechnique: 001
+operating_system: windows
+query: TgtProcImageSha1 = "f0c52cea19c204f5cdbe952cc7cfc182e20d8d43" OR TgtProcCmdline
+  ContainsCIS "-ma lsass.exe" OR TgtProcCmdline ContainsCIS "comsvcs.dll, MiniDump"
+  OR TgtFilePath = "C:\Windows\Temp\dumpert.dmp" OR TgtFilePath RegExp "^.*lsass.*.DMP"
+  OR (SrcProcCmdline ContainsCIS "sekurlsa::minidump" OR SrcProcCmdline ContainsCIS
+  "sekurlsa::logonpasswords") OR SrcProcCmdline ContainsCIS "live lsa"
+false_positives: null
+tags: null
+
@@ -0,0 +1,18 @@
+title: Malicious Documents
+description: The tests for this technique overlap heavily with T1566.001 Spearphishing
+  Attachment due to similar download and macro detections, so here we're focusing
+  on detecting Office applications launching processes.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Execution
+   technique: T1204
+   subtechnique: 002
+operating_system: windows
+query: (SrcProcParentName In Contains ("WINWORD.EXE","EXCEL.EXE") AND SrcProcName
+  In Contains Anycase ("cmd.exe","cscript.exe","wscript.exe","certutil.exe","powershell.exe","msbuild.exe","csc.exe"))
+  OR IndicatorName = "SuspiciousDocument"
+false_positives: Legit docs with macros.
+tags: null
+
@@ -0,0 +1,18 @@
+title: Malicious Process Start Added to Powershell Profile
+description: Detects the addition of process execution strings (TgtProcCmdLine In
+  Contains Anycase (list))to the powershell profile, through CommandLine and CommandScript
+  indicators.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Privilege Escalation, Persistence
+   technique: T1546
+   subtechnique: 013
+operating_system: windows
+query: (SrcProcCmdScript ContainsCIS "Add-Content $profile -Value" AND SrcProcCmdScript
+  ContainsCIS "Start-Process") OR (TgtProcCmdLine ContainsCIS "Add-Content $profile"
+  AND TgtProcCmdLine In Contains Anycase ("Start-Process","& ","cmd.exe /c"))
+false_positives: null
+tags: null
+
@@ -0,0 +1,17 @@
+title: Modified SysInternals AccessChk Chrome password collector
+description: To focus on detection, we're looking for AccessChk.exe where the DisplayName
+  does not match that of the original. There's 4X as many Cross_Process objects with
+  this query but none detect the collection of the Chrome password db.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Credential Access
+   technique: T1555
+   subtechnique: 003
+operating_system: windows
+query: TgtProcName = "accesschk.exe" AND TgtProcDisplayName != "Reports effective
+  permissions for securable objects"
+false_positives: null
+tags: null
+
@@ -0,0 +1,15 @@
+title: Windows Service Creation Modification
+description: Detects creation and modification of windows services through binPath
+  argument to sc.exe.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Persistence
+   technique: T1543
+   subtechnique: 003
+operating_system: windows
+query: TgtProcName = "sc.exe" AND TgtProcCmdLine Contains "binPath="
+false_positives: null
+tags: null
+
@@ -0,0 +1,18 @@
+title: Mshta
+description: SentinelOne happens to be pretty good at detecting MSHTA attacks, and
+  IndicatorName = "SuspiciousScript" specifically picks out these javascript based
+  attacks very well. The below query will detect mshta.exe spawning processes as well
+  as URLs for remote payloads to be loaded by mshta.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion
+   technique: T1218
+   subtechnique: 005
+operating_system: windows
+query: (SrcProcName = "mshta.exe" and EventType = "Open Remote Process Handle") OR
+  (SrcProcName = "mshta.exe" AND SrcProcCmdLine RegExp "https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)")
+false_positives: null
+tags: null
+
@@ -0,0 +1,20 @@
+title: Msiexec Remote MSI
+description: The below query will accurately detect execution of remote msi files
+  by msiexec.exe. The second half of the query aims to detect processes spawned by
+  msi files instead of dll files in the CommandLine (as that is very noisy) and may
+  return a bit of noise within for the CrossProcess Object as some auto-update processes
+  may be collected by this query.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion
+   technique: T1218
+   subtechnique: 007
+operating_system: windows
+query: ( SrcProcName = "msiexec.exe" AND SrcProcCmdLine RegExp "https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)"
+  ) OR (SrcProcName RegExp "^.*\.(tmp)" AND EventType = "Open Remote Process Handle"
+  AND SrcProcParentName = "msiexec.exe")
+false_positives: null
+tags: null
+
@@ -0,0 +1,17 @@
+title: Netsh Helper DLL
+description: Detection of "helper" dlls with network command shell, through command
+  arguments or registry modification.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Privilege Escalation, Persistence
+   technique: T1546
+   subtechnique: 007
+operating_system: windows
+query: (TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "add helper") OR
+  (RegistryPath ContainsCIS "SOFTWARE\Microsoft\NetSh" AND EventType = "Registry Value
+  Create")
+false_positives: null
+tags: null
+
@@ -0,0 +1,19 @@
+title: Non-Windows Control Panel Item
+description: The below query will find all cpl files outside standard directories
+  and all cpl files executed outside of Windows directories. First portion of query
+  may need to be dropped if there's too much noise in your environment.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion
+   technique: T1218
+   subtechnique: 002
+operating_system: windows
+query: (TgtFileExtension = "cpl" AND TgtFilePath Does Not ContainCIS "C:\Windows"
+  AND TgtFilePath Does Not ContainCIS "C:\Program Files" AND TgtFilePath Does Not
+  ContainCIS "C:\$WINDOWS.~BT") OR (SrcProcName = "control.exe" AND SrcProcCmdLine
+  ContainsCIS ".cpl" AND SrcProcCmdLine Does Not ContainCIS "C:\Windows")
+false_positives: null
+tags: null
+
@@ -0,0 +1,18 @@
+title: NTDS Copy
+description: We won't bother detecting VSS copies being created, rather detecting
+  credential file copies. NTDS.dit or SYSTEM whether a VSS copy or not.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Credential Access
+   technique: T1003
+   subtechnique: 003
+operating_system: windows
+query: SrcProcCmdline RegExp "^.*copy.*\\Windows\\NTDS\\NTDS.dit.*" OR SrcProcCmdline
+  RegExp "^.*copy.*\\Windows\\System32\\config\\SYSTEM .*" OR SrcProcCmdline ContainsCIS
+  "save HKLM\SYSTEM" OR (TgtProcName = "ntdsutil.exe" AND TgtProcCmdline ContainsCIS
+  "ac i ntds") OR (TgtProcName = "mklink.exe" and  TgtProcCmdline RegExp "^.*\/[d,D].*GLOBALROOT\\Device\\HarddiskVolumeShadowCopy.*")
+false_positives: null
+tags: null
+
@@ -0,0 +1,15 @@
+title: Open Local Port on Defender Firewall
+description: Detection of opening of local ports within Defender Firewall.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion
+   technique: T1562
+   subtechnique: 004
+operating_system: windows
+query: TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "add rule" AND TgtProcCmdLine
+  ContainsCIS "dir=in" AND TgtProcCmdLine ContainsCIS "localport="
+false_positives: null
+tags: null
+
@@ -0,0 +1,20 @@
+title: Parent PID Spoofing
+description: Detects parent PID spoofing through Cross Process indicators (SrcProcParentName
+  limits scope heavily) as well as detecting the use of PPID-Spoof powershell script
+  through Command Scripts indicators. Update the TgtProcName list to filter noise.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion, Privilege Escalation
+   technique: T1134
+   subtechnique: 004
+operating_system: windows
+query: (TgtProcRelation = "not_in_storyline" AND EventType = "Open Remote Process
+  Handle" AND SrcProcParentName In Contains Anycase ("userinit.exe","powershell.exe","cmd.exe")
+  AND TgtProcName != "sihost.exe" And TgtProcIntegrityLevel  != "LOW" AND TgtProcName
+  Not In ("SystemSettings.exe")) OR (SrcProcCmdScript ContainsCIS "PPID-Spoof" AND
+  SrcProcCmdScript ContainsCIS "hSpoofParent = [Kernel32]::OpenProcess")
+false_positives: null
+tags: null
+
@@ -0,0 +1,15 @@
+title: Pass the Hash & Pass the Ticket
+description: 'Detecting command line arguments of Mimikatz, so binary and powershell
+  mimikatz will be detected assuming arguments haven''t been modified before deployment. '
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Lateral Movement
+   technique: T1550
+   subtechnique: null
+operating_system: windows
+query: TgtProcCmdLine In Contains Anycase ("sekurlsa::pth","/ntlm:","kerberos::ptt")
+false_positives: null
+tags: null
+
@@ -0,0 +1,17 @@
+title: PowerShell GUI Input Capture
+description: Focusing here on detecting the Powershell UI.PromptForCredential and
+  GetNetworkCredential().Password in CmdScript or CmdLine.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Credential Access
+   technique: T1056
+   subtechnique: 002
+operating_system: windows
+query: (TgtProcCmdline ContainsCIS ".UI.PromptForCredential(" AND TgtProcCmdline ContainsCIS  ".GetNetworkCredential().Password")
+  OR (SrcProcCmdScript ContainsCIS ".UI.PromptForCredential(" AND SrcProcCmdScript
+  ContainsCIS  ".GetNetworkCredential().Password")
+false_positives: null
+tags: null
+
@@ -0,0 +1,15 @@
+title: PowerShell HTTP Form Submission
+description: Detection of powershell data POST and PUT with Invoke-WebRequest.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Exfiltration
+   technique: T1020
+   subtechnique: null
+operating_system: windows
+query: SrcProcCmdLine ContainsCIS "Invoke-WebRequest" AND (SrcProcCmdLine ContainsCIS
+  "-Method Put" OR SrcProcCmdLine ContainsCIS "-Method Post")
+false_positives: PowerShell HTTP form submissions.
+tags: null
+
@@ -0,0 +1,15 @@
+title: Powershell Keylogging
+description: Detect Get-KeyStrokes invocation by alias or CmdScript line matching.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Credential Access
+   technique: T1056
+   subtechnique: 001
+operating_system: windows
+query: TgtProcCmdline ContainsCIS "Get-Keystrokes" OR SrcProcCmdScript ContainsCIS
+  "user32.dll GetAsyncKeyState" OR SrcProcCmdScript ContainsCIS "[Windows.Forms.Keys][Runtime.InteropServices.Marshal]::ReadInt32("
+false_positives: null
+tags: null
+
@@ -0,0 +1,21 @@
+title: Powershell MalDoc
+description: This test merely uses Powershell to download a maldoc, the below query
+  will find CommandLine or CommandScript downloads using multiple cradle methods as
+  documented here by HarmJ0y https://gist.github.com/HarmJ0y/bb48307ffa663256e239.
+  The below query should only be used for hunting purposes and covers most unobfuscated
+  powershell cradles.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Initial Access
+   technique: T1566
+   subtechnique: 001
+operating_system: windows
+query: (SrcProcCmdLine In Contains Anycase ("Net.WebClient","(iwr","DownloadString(","WinHttp.WinHttpRequest","IEX
+  (","InternetExplorer.Application","Msxml2.XMLHTTP","MSXML2.ServerXMLHTTP") OR SrcProcCmdScript
+  In Contains Anycase ("Net.WebClient","(iwr","DownloadString(","WinHttp.WinHttpRequest","IEX
+  (","InternetExplorer.Application","Msxml2.XMLHTTP","MSXML2.ServerXMLHTTP"))
+false_positives: null
+tags: null
+
@@ -0,0 +1,18 @@
+title: Process Hollowing
+description: Detect Process Hollowing using the Start-Hollow powershell script, through
+  CommandLine and CommandScript indicators.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion, Privilege Escalation
+   technique: T1055
+   subtechnique: 012
+operating_system: windows
+query: '--- Detect Start-Hollow.ps1 by command or content
+
+  (SrcProcCmdScript ContainsCIS "Start-Hollow" AND SrcProcCmdScript ContainsCIS "[Hollow]::NtQueryInformationProcess")
+  OR TgtProcCmdLine ContainsCIS "Start-Hollow"'
+false_positives: null
+tags: null
+
@@ -0,0 +1,17 @@
+title: T1055 Process Injection
+description: Detects Process Injection through execution of MavInject, filtering out
+  noisy/expected activity. SrcProcParentName filter narrows Cross Process items to
+  HQ results.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion, Privilege Escalation
+   technique: T1055
+   subtechnique: null
+operating_system: windows
+query: (TgtProcName = "mavinject.exe" AND TgtProcCmdLine ContainsCIS "/injectrunning")
+  AND (SrcProcName Not In ("AppVClient.exe") AND SrcProcParentName Not In ("smss.exe"))
+false_positives: null
+tags: null
+
@@ -0,0 +1,14 @@
+title: RDP Hijacking
+description: Detects RDS and RemoteApp session redirections for lateral movement.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Lateral Movement
+   technique: T1563
+   subtechnique: 002
+operating_system: windows
+query: SrcProcName = "tscon.exe" AND SrcProcCmdLine ContainsCIS "/dest:"
+false_positives: null
+tags: null
+
@@ -0,0 +1,17 @@
+title: Registry Credential Enumeration
+description: This query detects enumeration and discovery of credentials within the
+  Registry, including Putty sessions.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Credential Access
+   technique: T1552
+   subtechnique: 002
+operating_system: windows
+query: TgtProcCmdline ContainsCIS "query HKLM /f password /t REG_SZ /s" OR TgtProcCmdline
+  ContainsCIS "query HKCU /f password /t REG_SZ /s" OR TgtProcCmdline ContainsCIS
+  "query HKCU\Software\SimonTatham\PuTTY\Sessions /t REG_SZ /s"
+false_positives: null
+tags: null
+
@@ -0,0 +1,15 @@
+title: Registry Run Keys
+description: Detecting on the addition of registry keys to Run, RunOnce, RunOnceEx keys where Parent Process isn't "trusted".
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Persistence
+   technique: T1547
+   subtechnique: 001
+operating_system: windows
+query: ( RegistryKeyPath ContainsCIS "Windows\CurrentVersion\Run" AND EventType =
+  "Registry Key Create" ) AND SrcProcParentName Not In ("smss.exe","svchost.exe","SetupHost.exe","OneDriveSetup.exe","WindowsUpdateBox.exe")
+false_positives: null
+tags: null
+
@@ -0,0 +1,15 @@
+title: Remove AMSI Provider Reg Key
+description: Detection of removal of AMSI as system provider.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion
+   technique: T1562
+   subtechnique: 001
+operating_system: windows
+query: RegistryPath ContainsCIS "\Microsoft\AMSI\Providers" AND EventType In ("Registry
+  Key Delete","Registry Value Delete")
+false_positives: null
+tags: null
+
@@ -0,0 +1,19 @@
+title: Scheduled Tasks Creation
+description: Our goal with this query is to detect any schtasks /create command as
+  well as any use of the New-ScheduledTask* cmdlets from powershell, and to prevent
+  noise from services and updates we'll exclude a list of system "trusted" SrcProcParentName
+  executables.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Execution, Persistence
+   technique: T1053
+   subtechnique: 005
+operating_system: windows
+query: (( TgtProcName = "schtasks.exe" AND TgtProcCmdLine ContainsCIS "/create" )
+  OR ( SrcProcCmdLine ContainsCIS "New-ScheduledTask" OR SrcProcCmdScript  ContainsCIS
+  "New-ScheduledTask" )) AND SrcProcParentName Not In ("services.exe","OfficeClickToRun.exe")
+false_positives: null
+tags: null
+
@@ -0,0 +1,15 @@
+title: ScheduledTaskRegister
+description: Leveraging the ScheduleTaskRegister Indicator object for detection of
+  registered tasks.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Persistence
+   technique: T1053
+   subtechnique: 005
+operating_system: windows
+query: IndicatorName = "ScheduleTaskRegister" AND SrcProcParentName Not In ("Integrator.exe","OfficeClickToRun.exe","services.exe","OneDriveSetup.exe","Ccm32BitLauncher.exe","WmiPrvSE.exe")
+false_positives: null
+tags: null
+
@@ -0,0 +1,16 @@
+title: Screensaver Change
+description: Detects malicious changes to screensaver through Registry changes, filtering
+  expected processes.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Persistence, Privilege Escalation
+   technique: T1546
+   subtechnique: 002
+operating_system: windows
+query: RegistryKeyPath ContainsCIS "Control Panel\Desktop\SCRNSAVE.EXE" AND (EventType
+  In ("Registry Value Create","Registry Value Modified") AND SrcProcName Not In ("svchost.exe","SetupHost.exe","CcmExec.exe"))
+false_positives: null
+tags: null
+
@@ -0,0 +1,15 @@
+title: Scripted Lateral RDP
+description: Query will catch use of cmdkey for authenticating RDP sessions (often used for automated lateral movement).
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Lateral Movement
+   technique: T1021
+   subtechnique: 001
+operating_system: windows
+query: TgtProcName = "cmdkey.exe" AND TgtProcCmdLine ContainsCIS "/generic:TERMSRV"
+  AND TgtProcCmdLine ContainsCIS "/user:" AND TgtProcCmdLine ContainsCIS "/pass:"
+false_positives: null
+tags: null
+
@@ -0,0 +1,14 @@
+title: Secure Delete Data Destruction
+description: Detection of SDelete (by display name) and execution of DD command on *nix operating systems. Alternatively, DV 3.0 with 4.4 Agents will support TgtFileDeletionCount > "100" query for detection of over 100 files deleted, which can be combined with *FileType* for filtering.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Impact
+   technique: T1485
+   subtechnique: null
+operating_system: windows
+query: TgtProcDisplayName = "Secure file delete"
+false_positives: null
+tags: null
+
@@ -0,0 +1,18 @@
+title: Security Support Provider
+description: Detection of changes to Security Support Provider through Registry modification.
+  Filters most standard system changes with SrcProcName Not In (list) but there will
+  be some noise from installers.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Privilege Escalation, Persistence
+   technique: T1547
+   subtechnique: 005
+operating_system: windows
+query: RegistryKeyPath ContainsCIS "\Control\Lsa\Security Packages" AND (SrcProcName
+  Not In ("services.exe","SetupHost.exe","svchost.exe") AND SrcProcCmdLine Does Not
+  ContainCIS "system32\wsauth.dll")
+false_positives: null
+tags: null
+
@@ -0,0 +1,17 @@
+title: Service Disable
+description: Detecting the disabling of services through sc.exe, wmic, and powershell Set-Service cmdlet.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Impact
+   technique: T1489
+   subtechnique: null
+operating_system: windows
+query: (TgtProcName = "WMIC.exe" AND TgtProcCmdLine ContainsCIS "call ChangeStartmode
+  Disabled") OR (TgtProcName = "sc.exe" AND TgtProcCmdLine ContainsCIS "disabled")
+  OR (TgtProcCmdLine ContainsCIS "Set-Service" AND TgtProcCmdLine ContainsCIS "-StartupType
+  Disabled")
+false_positives: Manual service toggling.
+tags: null
+
@@ -0,0 +1,15 @@
+title: Service Starting
+description: Detection of sc.exe start or start-service.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Execution
+   technique: T1569
+   subtechnique: 002
+operating_system: windows
+query: (( SrcProcName = "sc.exe" AND SrcProcCmdLine ContainsCIS "create" ) OR SrcProcCmdLine
+  ContainsCIS "Start-Service" ) AND SrcProcParentName != "services.exe"
+false_positives: Manual service actions.
+tags: null
+
@@ -0,0 +1,15 @@
+title: Startup Folder
+description: Detect any vbs, jse or bat files being written to any Programs\StartUp folder, be that ProgramData or AppData locations.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Persistence
+   technique: T1547
+   subtechnique: 001
+operating_system: windows
+query: FileFullName ContainsCIS "Programs\Startup" AND FileType In Contains Anycase
+  ("vbs","jse","bat") AND EventType = "File Creation"
+false_positives: null
+tags: null
+
@@ -0,0 +1,16 @@
+title: Startup Shortcuts
+description: Detection .lnk or .url files written to Startup folders.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Privilege Escalation, Persistence
+   technique: T1547
+   subtechnique: 009
+operating_system: windows
+query: (FileFullName ContainsCIS "Microsoft\Windows\Start Menu\Programs\Startup" AND
+  TgtFileExtension In Contains ("lnk","url") AND EventType = "File Creation") AND
+  SrcProcName Not In ("ONENOTE.EXE","msiexec.exe")
+false_positives: Some application installs.
+tags: null
+
@@ -0,0 +1,16 @@
+title: Unquoted Service Path for program.exe
+description: Detects creation or modification of the file at C:\program.exe for exploiting
+  unquoted services paths of Program Files folder.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion, Persistence, Privilege Escalation
+   technique: T1574
+   subtechnique: 009
+operating_system: windows
+query: (FileFullName = "C:\program.exe" AND EventType In ("File Creation","File Modification"))
+  OR TgtProcImagePath = "C:\program.exe"
+false_positives: null
+tags: null
+
@@ -0,0 +1,14 @@
+title: Visual Basic Execution From Temp
+description: Detect execution of vbs files from any Temp\ directory to be more useful.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Execution
+   technique: T1059
+   subtechnique: 005
+operating_system: windows
+query: SrcProcName = "cscript.exe" AND SrcProcCmdLine RegExp "\bTemp\b.*\.(vbs)"
+false_positives: null
+tags: null
+
@@ -0,0 +1,17 @@
+title: Web Shell Creation
+description: Generic web shell detection with filtering of possibly trusted sources
+  of noise.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Persistence
+   technique: T1505
+   subtechnique: 003
+operating_system: windows
+query: EventType = "File Creation" AND FileFullName ContainsCIS "inetpub\wwwroot"
+  AND TgtFileExtension In Contains Anycase ("jsp","aspx","php") AND SrcProcName Not
+  In ("explorer.exe","msdeploy.exe")
+false_positives: null
+tags: null
+
@@ -0,0 +1,15 @@
+title: Windows Command Shell
+description: Query for bat files executed from temp directories where SrcProcParentName isn't an executable we want to filter.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Execution
+   technique: T1059
+   subtechnique: 003
+operating_system: windows
+query: (SrcProcName = "cmd.exe" AND FileFullName ContainsCIS "\Temp" AND FileType
+  = "bat") AND SrcProcParentName Not In ("msiexec.exe")
+false_positives: null
+tags: null
+
@@ -0,0 +1,14 @@
+title: Windows Logon Scripts
+description: Detects addition of logon scripts through command line or registry methods.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Privilege Escalation
+   technique: T1037
+   subtechnique: 001
+operating_system: windows
+query: SrcProcCmdLine ContainsCIS "UserInitMprLogonScript" OR (RegistryKeyPath ContainsCIS
+  "UserInitMprLogonScript" AND EventType = "Registry Value Create")
+false_positives: null
+tags: null
@@ -0,0 +1,17 @@
+title: Windows Management Instrumentation
+description: Detection query has been limited to wmic.exe, and focuses on discovery and execution
+  commandlines.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Execution
+   technique: T1047
+   subtechnique: null
+operating_system: windows
+query: ( SrcProcName = "WMIC.exe" AND SrcProcCmdLine In Contains Anycase ("useraccount
+  get","process get","qfe get","service where","process call","call create") ) AND
+  SrcProcParentName Not In ("msiexec.exe")
+false_positives: null
+tags: null
+
@@ -0,0 +1,16 @@
+title: Windows Management Instrumentation Event Subscription
+description: Detect WMI Event Subs using the New-CimInstance cmdlet, through CommandLine
+  and CommandScript indicators.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Privilege Escalation, Persistence
+   technique: T1546
+   subtechnique: 003
+operating_system: windows
+query: SrcProcCmdLine ContainsCIS "New-CimInstance -Namespace root/subscription" OR
+  SrcProcCmdScript ContainsCIS "New-CimInstance -Namespace root/subscription"
+false_positives: null
+tags: null
+
@@ -0,0 +1,22 @@
+title: Windows Remote Management
+description: The below query (in order) remote process executions through MMC, WMIC,
+  and PsExec (by name or display name). Also of note, there are only 3 tests documented
+  for this Atomic, yet there are 6 tests, so the below query focuses on detectability.
+  PsExec detection may have a lot of noise depending on your environment, and may
+  require additional filtering.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Lateral Movement
+   technique: T1021
+   subtechnique: 006
+operating_system: windows
+query: (TgtProcCmdLine ContainsCIS "GetTypeFromProgID(" AND TgtProcCmdLine ContainsCIS
+  "MMC20.application" AND TgtProcCmdLine ContainsCIS ".Document.ActiveView.ExecuteShellCommand(")
+  OR (TgtProcName = "wmic.exe" AND TgtProcCmdLine ContainsCIS "/node:" AND TgtProcCmdLine
+  ContainsCIS "process call create") OR ((SrcProcName ContainsCIS "psexec.exe" OR
+  SrcProcDisplayName = "Execute processes remotely") AND DstIp Is Not Empty)
+false_positives: null
+tags: null
+
@@ -0,0 +1,15 @@
+title: Windows Service Creation
+description: Detects creation and modification of windows services through binPath
+  argument to sc.exe.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Privilege Escalation
+   technique: T1543
+   subtechnique: 003
+operating_system: windows
+query: TgtProcName = "sc.exe" AND TgtProcCmdLine Contains "binPath="
+false_positives: null
+tags: null
+
@@ -0,0 +1,15 @@
+title: Windows Share Creation
+description: Detecting the creation and use of Windows shares, may catch a lot of legitimate activity.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Lateral Movement
+   technique: T1021
+   subtechnique: 002
+operating_system: windows
+query: TgtProcCmdLine ContainsCIS "New-PSDrive" OR (TgtProcName = "net.exe" AND TgtProcCmdLine
+  ContainsCIS "use ")
+false_positives: Share creations.
+tags: null
+
@@ -0,0 +1,18 @@
+title: Winlogon Helper DLL
+description: Detects Winlogon Helper Dll changes through Registry MetadataIndicator
+  item, as it holds the full registry change info but will only return data of the
+  Indicators object type.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Privilege Escalation, Persistence
+   technique: T1547
+   subtechnique: 004
+operating_system: windows
+query: IndicatorMetadata In Contains Anycase ("Microsoft\Windows NT\CurrentVersion\Winlogon","Microsoft\Windows
+  NT\CurrentVersion\Winlogon\Notify") AND IndicatorMetadata In Contains Anycase ("logon","Userinit","Shell")
+  AND IndicatorMetadata Does Not ContainCIS "WINDOWS\system32\userinit.exe"
+false_positives: null
+tags: null
+