junk/spl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update splunk-magic-hound.md

Browse Source
This commit is contained in:
junk
2025-01-08 20:35:04 -05:00
parent ebd206dcd7
commit 6d46dcec02
1 changed files with 21 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
splunk-magic-hound.md
View File

@ -23,6 +23,8 @@ priority=""
| collect `jarvis_index` | collect `jarvis_index`
``` ```
```
`indextime` (`sysmon` OR `windows`) AND ('powershell.exe /c "Set-MpPreference -DisableRealtimeMonitoring $true"' OR 'powershell.exe /c "Set-Service -Name windefend -StartupType Disabled"' OR 'powershell.exe /c "Stop-Service -Name windefend"') `indextime` (`sysmon` OR `windows`) AND ('powershell.exe /c "Set-MpPreference -DisableRealtimeMonitoring $true"' OR 'powershell.exe /c "Set-Service -Name windefend -StartupType Disabled"' OR 'powershell.exe /c "Stop-Service -Name windefend"')
| eval hash_sha256= lower(hash_sha256), | eval hash_sha256= lower(hash_sha256),
hunting_trigger="Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.", hunting_trigger="Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.",
@ -43,7 +45,9 @@ priority=""
| convert ctime(indextime) | convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index` | collect `jarvis_index`
```
```
`indextime` (`sysmon` OR `windows`) AND ('powershell /c "Get-ADUser -Filter * -Properties EmailAddress | Select-Object Name, EmailAddress"' OR 'powershell /c "Get-ADUser') `indextime` (`sysmon` OR `windows`) AND ('powershell /c "Get-ADUser -Filter * -Properties EmailAddress | Select-Object Name, EmailAddress"' OR 'powershell /c "Get-ADUser')
| eval hash_sha256= lower(hash_sha256), | eval hash_sha256= lower(hash_sha256),
hunting_trigger="Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).", hunting_trigger="Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).",
@ -64,7 +68,9 @@ priority=""
| convert ctime(indextime) | convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index` | collect `jarvis_index`
```
```
`indextime` (`sysmon` OR `windows`) AND *.docm `indextime` (`sysmon` OR `windows`) AND *.docm
| eval hash_sha256= lower(hash_sha256), | eval hash_sha256= lower(hash_sha256),
hunting_trigger="Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. ", hunting_trigger="Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. ",
@ -85,7 +91,9 @@ priority=""
| convert ctime(indextime) | convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index` | collect `jarvis_index`
```
```
`indextime` (`sysmon` OR `windows`) AND 'powershell.exe /c "net user DefaultAccount /active:yes"' `indextime` (`sysmon` OR `windows`) AND 'powershell.exe /c "net user DefaultAccount /active:yes"'
| eval hash_sha256= lower(hash_sha256), | eval hash_sha256= lower(hash_sha256),
hunting_trigger="Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.", hunting_trigger="Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.",
@ -106,7 +114,9 @@ priority=""
| convert ctime(indextime) | convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index` | collect `jarvis_index`
```
```
`indextime` (`sysmon` OR `windows`) AND (reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f) `indextime` (`sysmon` OR `windows`) AND (reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f)
| eval hash_sha256= lower(hash_sha256), | eval hash_sha256= lower(hash_sha256),
hunting_trigger="Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.", hunting_trigger="Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.",
@ -127,7 +137,9 @@ priority=""
| convert ctime(indextime) | convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index` | collect `jarvis_index`
```
```
`indextime` (`sysmon` OR `windows`) AND "powershell.exe /c 'auditpol /clear /y'" `indextime` (`sysmon` OR `windows`) AND "powershell.exe /c 'auditpol /clear /y'"
| eval hash_sha256= lower(hash_sha256), | eval hash_sha256= lower(hash_sha256),
hunting_trigger="Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits.", hunting_trigger="Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits.",
@ -148,7 +160,9 @@ priority=""
| convert ctime(indextime) | convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index` | collect `jarvis_index`
```
```
`indextime` ((`sysmon` EventCode="1") OR (`windows-security` EventCode="4688")) (Image="C:\Windows\System32\sc.exe" (CommandLine="sc config" OR CommandLine="sc stop" OR CommandLine="sc query" )) OR (ServiceName="Windows Defender" OR ServiceName="Windows Firewall" AND ServiceName="stopped*") `indextime` ((`sysmon` EventCode="1") OR (`windows-security` EventCode="4688")) (Image="C:\Windows\System32\sc.exe" (CommandLine="sc config" OR CommandLine="sc stop" OR CommandLine="sc query" )) OR (ServiceName="Windows Defender" OR ServiceName="Windows Firewall" AND ServiceName="stopped*")
| eval hash_sha256= lower(hash_sha256), | eval hash_sha256= lower(hash_sha256),
hunting_trigger="Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.", hunting_trigger="Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.",
@ -169,7 +183,9 @@ priority=""
| convert ctime(indextime) | convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index` | collect `jarvis_index`
```
```
`indextime` (`sysmon` OR `windows`) AND ("quser.exe" OR "netstat -ano") `indextime` (`sysmon` OR `windows`) AND ("quser.exe" OR "netstat -ano")
| eval hash_sha256= lower(hash_sha256), | eval hash_sha256= lower(hash_sha256),
hunting_trigger="Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", hunting_trigger="Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.",
@ -190,7 +206,9 @@ priority=""
| convert ctime(indextime) | convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index` | collect `jarvis_index`
```
```
`indextime` (`sysmon` OR `windows`) AND ("powershell /c 'Compress-Archive" AND "zip") `indextime` (`sysmon` OR `windows`) AND ("powershell /c 'Compress-Archive" AND "zip")
| eval hash_sha256= lower(hash_sha256), | eval hash_sha256= lower(hash_sha256),
hunting_trigger="Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", hunting_trigger="Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.",
@ -211,7 +229,9 @@ priority=""
| convert ctime(indextime) | convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index` | collect `jarvis_index`
```
```
`indextime` (`sysmon` OR `windows`) AND ("schtasks /create /tn" OR "/ru SYSTEM") `indextime` (`sysmon` OR `windows`) AND ("schtasks /create /tn" OR "/ru SYSTEM")
| eval hash_sha256= lower(hash_sha256), | eval hash_sha256= lower(hash_sha256),
hunting_trigger="Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.", hunting_trigger="Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.",
@ -232,9 +252,7 @@ priority=""
| convert ctime(indextime) | convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index` | collect `jarvis_index`
```