From 131e8d959ba8ba31e7140e7e5ccfb7433c22a420 Mon Sep 17 00:00:00 2001
From: junk <junk@noreply.localhost>
Date: Wed, 8 Jan 2025 20:31:55 -0500
Subject: [PATCH] Upload files to "/"

---
 spl-magic-hound.xml | 445 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 445 insertions(+)
 create mode 100644 spl-magic-hound.xml

diff --git a/spl-magic-hound.xml b/spl-magic-hound.xml
new file mode 100644
index 0000000..7bb7cfb
--- /dev/null
+++ b/spl-magic-hound.xml
@@ -0,0 +1,445 @@
+```check against powershell /c "Get-PhysicalDisk | Select-Object DeviceID, MediaType, Size, FriendlyName"```
+`indextime` (`sysmon` OR `windows`) AND "powershell /c "Get-PhysicalDisk"
+| eval hash_sha256= lower(hash_sha256),
+hunting_trigger="Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.",
+mitre_category="Discovery",
+mitre_technique="File and Directory Discovery",
+mitre_technique_id="T1083",
+mitre_subtechnique="", 
+mitre_subtechnique_id="",
+apt="Magic Hound",
+mitre_link="https://attack.mitre.org/techniques/T1083/",
+creator="Cpl Iverson",
+upload_date="2025-01-08",
+last_modify_date="2025-01-08",
+mitre_version="v16",
+priority=""
+| `process_create_whitelist` 
+| eval indextime = _indextime 
+| convert ctime(indextime) 
+| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
+| collect `jarvis_index`
+
+`indextime` (`sysmon` OR `windows`) AND ('powershell.exe /c "Set-MpPreference -DisableRealtimeMonitoring $true"' OR 'powershell.exe /c "Set-Service -Name windefend -StartupType Disabled"' OR 'powershell.exe /c "Stop-Service -Name windefend"')
+| eval hash_sha256= lower(hash_sha256),
+hunting_trigger="Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.",
+mitre_category="Defense_Evasion",
+mitre_technique="Impair Defenses",
+mitre_technique_id="T1562",
+mitre_subtechnique="Disable or Modify Tools", 
+mitre_subtechnique_id="T1562.001",
+apt="Magic Hound",
+mitre_link="https://attack.mitre.org/techniques/T1562/001/",
+creator="Cpl Iverson",
+upload_date="2025-01-08",
+last_modify_date="2025-01-08",
+mitre_version="v16",
+priority=""
+| `process_create_whitelist` 
+| eval indextime = _indextime 
+| convert ctime(indextime) 
+| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
+| collect `jarvis_index`
+
+`indextime` (`sysmon` OR `windows`) AND ('powershell /c "Get-ADUser -Filter * -Properties EmailAddress | Select-Object Name, EmailAddress"' OR 'powershell /c "Get-ADUser')
+| eval hash_sha256= lower(hash_sha256),
+hunting_trigger="Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).",
+mitre_category="Discovery",
+mitre_technique="Account Discovery",
+mitre_technique_id="T1087",
+mitre_subtechnique="Email Account", 
+mitre_subtechnique_id="T1087.003",
+apt="Magic Hound",
+mitre_link="https://attack.mitre.org/techniques/T####",
+creator="Cpl Iverson",
+upload_date="2025-01-08",
+last_modify_date="2025-01-08",
+mitre_version="v16",
+priority=""
+| `process_create_whitelist` 
+| eval indextime = _indextime 
+| convert ctime(indextime) 
+| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
+| collect `jarvis_index`
+
+`indextime` (`sysmon` OR `windows`) AND *.docm
+| eval hash_sha256= lower(hash_sha256),
+hunting_trigger="Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. ",
+mitre_category="Persistence",
+mitre_technique="Office Application Startup",
+mitre_technique_id="T1137",
+mitre_subtechnique="Office Template Macros", 
+mitre_subtechnique_id="T1137.001",
+apt="Magic Hound",
+mitre_link="https://attack.mitre.org/techniques/T1137/001/",
+creator="Cpl Iverson",
+upload_date="2025-01-08",
+last_modify_date="2025-01-08",
+mitre_version="v16",
+priority=""
+| `process_create_whitelist` 
+| eval indextime = _indextime 
+| convert ctime(indextime) 
+| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
+| collect `jarvis_index`
+
+`indextime` (`sysmon` OR `windows`) AND 'powershell.exe /c "net user DefaultAccount /active:yes"'
+| eval hash_sha256= lower(hash_sha256),
+hunting_trigger="Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.",
+mitre_category=mvappend("Defense_Evasion","Persistence","Privilege_Escalation","Initial_Access"),
+mitre_technique="Valid Accounts",
+mitre_technique_id="T1078",
+mitre_subtechnique="Default Accounts", 
+mitre_subtechnique_id="T1078.001",
+apt="Magic Hound",
+mitre_link="https://attack.mitre.org/techniques/T1078/001/",
+creator="Cpl Iverson",
+upload_date="2025-01-08",
+last_modify_date="2025-01-08",
+mitre_version="v16",
+priority=""
+| `process_create_whitelist` 
+| eval indextime = _indextime 
+| convert ctime(indextime) 
+| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
+| collect `jarvis_index`
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+T1562
+
+
+`indextime` (`sysmon` OR `windows`) AND (reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f)
+| eval hash_sha256= lower(hash_sha256),
+hunting_trigger="",
+mitre_category="",
+mitre_technique="",
+mitre_technique_id="T####",
+`indextime` (`sysmon` OR `windows`) AND ()
+| eval hash_sha256= lower(hash_sha256),
+hunting_trigger="",
+mitre_category="",
+mitre_technique="",
+mitre_technique_id="T####",
+mitre_subtechnique="", 
+mitre_subtechnique_id="T####.###",
+apt="Magic Hound",
+mitre_link="https://attack.mitre.org/techniques/T####",
+creator="Cpl Iverson",
+upload_date="2025-01-08",
+last_modify_date="2025-01-08",
+mitre_version="v16",
+priority=""
+| `process_create_whitelist` 
+| eval indextime = _indextime 
+| convert ctime(indextime) 
+| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
+| collect `jarvis_index`
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+T1562.002 - disable event log service
+
+powershell.exe /c 'auditpol /clear /y'
+
+
+
+`indextime` (`sysmon` OR `windows`) AND ()
+| eval hash_sha256= lower(hash_sha256),
+hunting_trigger="",
+mitre_category="",
+mitre_technique="",
+mitre_technique_id="T####",
+mitre_subtechnique="", 
+mitre_subtechnique_id="T####.###",
+apt="Magic Hound",
+mitre_link="https://attack.mitre.org/techniques/T####",
+creator="Cpl Iverson",
+upload_date="2025-01-08",
+last_modify_date="2025-01-08",
+mitre_version="v16",
+priority=""
+| `process_create_whitelist` 
+| eval indextime = _indextime 
+| convert ctime(indextime) 
+| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
+| collect `jarvis_index`
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+T1056.001 - Keylogger
+
+
+
+`indextime` (`sysmon` OR `windows`) AND ()
+| eval hash_sha256= lower(hash_sha256),
+hunting_trigger="",
+mitre_category="",
+mitre_technique="",
+mitre_technique_id="T####",
+mitre_subtechnique="", 
+mitre_subtechnique_id="T####.###",
+apt="Magic Hound",
+mitre_link="https://attack.mitre.org/techniques/T####",
+creator="Cpl Iverson",
+upload_date="2025-01-08",
+last_modify_date="2025-01-08",
+mitre_version="v16",
+priority=""
+| `process_create_whitelist` 
+| eval indextime = _indextime 
+| convert ctime(indextime) 
+| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
+| collect `jarvis_index`
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+T1049
+
+quser
+
+
+
+
+
+`indextime` (`sysmon` OR `windows`) AND ()
+| eval hash_sha256= lower(hash_sha256),
+hunting_trigger="",
+mitre_category="",
+mitre_technique="",
+mitre_technique_id="T####",
+mitre_subtechnique="", 
+mitre_subtechnique_id="T####.###",
+apt="Magic Hound",
+mitre_link="https://attack.mitre.org/techniques/T####",
+creator="Cpl Iverson",
+upload_date="2025-01-08",
+last_modify_date="2025-01-08",
+mitre_version="v16",
+priority=""
+| `process_create_whitelist` 
+| eval indextime = _indextime 
+| convert ctime(indextime) 
+| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
+| collect `jarvis_index`
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+T1560.001
+
+powershell /c 'Compress-Archive -Path "*" -DestinationPath "*.zip"'
+
+
+
+
+`indextime` (`sysmon` OR `windows`) AND ()
+| eval hash_sha256= lower(hash_sha256),
+hunting_trigger="",
+mitre_category="",
+mitre_technique="",
+mitre_technique_id="T####",
+mitre_subtechnique="", 
+mitre_subtechnique_id="T####.###",
+apt="Magic Hound",
+mitre_link="https://attack.mitre.org/techniques/T####",
+creator="Cpl Iverson",
+upload_date="2025-01-08",
+last_modify_date="2025-01-08",
+mitre_version="v16",
+priority=""
+| `process_create_whitelist` 
+| eval indextime = _indextime 
+| convert ctime(indextime) 
+| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
+| collect `jarvis_index`
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+T1486
+
+schtasks /create /tn "*" /tr "'C:\Users\*'" /sc minute /mo 2 /ru SYSTEM /rl HIGHEST
+
+
+
+
+`indextime` (`sysmon` OR `windows`) AND ()
+| eval hash_sha256= lower(hash_sha256),
+hunting_trigger="",
+mitre_category="",
+mitre_technique="",
+mitre_technique_id="T####",
+mitre_subtechnique="", 
+mitre_subtechnique_id="T####.###",
+apt="Magic Hound",
+mitre_link="https://attack.mitre.org/techniques/T####",
+creator="Cpl Iverson",
+upload_date="2025-01-08",
+last_modify_date="2025-01-08",
+mitre_version="v16",
+priority=""
+| `process_create_whitelist` 
+| eval indextime = _indextime 
+| convert ctime(indextime) 
+| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
+| collect `jarvis_index`
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+------------------------------------------
+------------ SURICATA RULES --------------
+------------------------------------------
+
+"mail-newyorker.com"
+"news12.com.recover-session-service.site"
+