From f8fe8fe514a02e4858e53e5ea6cd8fca68300b03 Mon Sep 17 00:00:00 2001 From: Matthew Iverson Date: Sun, 12 Jan 2025 20:55:44 -0500 Subject: [PATCH] Delete splunk-magic-hound.md --- splunk-magic-hound.md | 274 ------------------------------------------ 1 file changed, 274 deletions(-) delete mode 100644 splunk-magic-hound.md diff --git a/splunk-magic-hound.md b/splunk-magic-hound.md deleted file mode 100644 index c811af1..0000000 --- a/splunk-magic-hound.md +++ /dev/null @@ -1,274 +0,0 @@ -[X] Updated - -```check against powershell /c "Get-PhysicalDisk | Select-Object DeviceID, MediaType, Size, FriendlyName"``` - -``` -`indextime` (`sysmon` OR `windows`) AND "powershell /c "Get-PhysicalDisk" -| eval hash_sha256= lower(hash_sha256), -hunting_trigger="Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.", -mitre_category="Discovery", -mitre_technique="File and Directory Discovery", -mitre_technique_id="T1083", -mitre_subtechnique="", -mitre_subtechnique_id="", -apt="Magic Hound", -mitre_link="https://attack.mitre.org/techniques/T1083/", -creator="Cpl Iverson", -upload_date="2025-01-08", -last_modify_date="2025-01-08", -mitre_version="v16", -priority="" -| `process_create_whitelist` -| eval indextime = _indextime -| convert ctime(indextime) -| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority -| collect `jarvis_index` -``` - - -``` -`indextime` (`sysmon` OR `windows`) AND ('powershell.exe /c "Set-MpPreference -DisableRealtimeMonitoring $true"' OR 'powershell.exe /c "Set-Service -Name windefend -StartupType Disabled"' OR 'powershell.exe /c "Stop-Service -Name windefend"') -| eval hash_sha256= lower(hash_sha256), -hunting_trigger="Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.", -mitre_category="Defense_Evasion", -mitre_technique="Impair Defenses", -mitre_technique_id="T1562", -mitre_subtechnique="Disable or Modify Tools", -mitre_subtechnique_id="T1562.001", -apt="Magic Hound", -mitre_link="https://attack.mitre.org/techniques/T1562/001/", -creator="Cpl Iverson", -upload_date="2025-01-08", -last_modify_date="2025-01-08", -mitre_version="v16", -priority="" -| `process_create_whitelist` -| eval indextime = _indextime -| convert ctime(indextime) -| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority -| collect `jarvis_index` -``` - -``` -`indextime` (`sysmon` OR `windows`) AND ('powershell /c "Get-ADUser -Filter * -Properties EmailAddress | Select-Object Name, EmailAddress"' OR 'powershell /c "Get-ADUser') -| eval hash_sha256= lower(hash_sha256), -hunting_trigger="Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).", -mitre_category="Discovery", -mitre_technique="Account Discovery", -mitre_technique_id="T1087", -mitre_subtechnique="Email Account", -mitre_subtechnique_id="T1087.003", -apt="Magic Hound", -mitre_link="https://attack.mitre.org/techniques/T1087/003", -creator="Cpl Iverson", -upload_date="2025-01-08", -last_modify_date="2025-01-08", -mitre_version="v16", -priority="" -| `process_create_whitelist` -| eval indextime = _indextime -| convert ctime(indextime) -| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority -| collect `jarvis_index` -``` - -``` -`indextime` (`sysmon` OR `windows`) AND *.docm -| eval hash_sha256= lower(hash_sha256), -hunting_trigger="Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. ", -mitre_category="Persistence", -mitre_technique="Office Application Startup", -mitre_technique_id="T1137", -mitre_subtechnique="Office Template Macros", -mitre_subtechnique_id="T1137.001", -apt="Magic Hound", -mitre_link="https://attack.mitre.org/techniques/T1137/001/", -creator="Cpl Iverson", -upload_date="2025-01-08", -last_modify_date="2025-01-08", -mitre_version="v16", -priority="" -| `process_create_whitelist` -| eval indextime = _indextime -| convert ctime(indextime) -| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority -| collect `jarvis_index` -``` - -``` -`indextime` (`sysmon` OR `windows`) AND 'powershell.exe /c "net user DefaultAccount /active:yes"' -| eval hash_sha256= lower(hash_sha256), -hunting_trigger="Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.", -mitre_category=mvappend("Defense_Evasion","Persistence","Privilege_Escalation","Initial_Access"), -mitre_technique="Valid Accounts", -mitre_technique_id="T1078", -mitre_subtechnique="Default Accounts", -mitre_subtechnique_id="T1078.001", -apt="Magic Hound", -mitre_link="https://attack.mitre.org/techniques/T1078/001/", -creator="Cpl Iverson", -upload_date="2025-01-08", -last_modify_date="2025-01-08", -mitre_version="v16", -priority="" -| `process_create_whitelist` -| eval indextime = _indextime -| convert ctime(indextime) -| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority -| collect `jarvis_index` -``` - -``` -`indextime` (`sysmon` OR `windows`) AND (reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f) -| eval hash_sha256= lower(hash_sha256), -hunting_trigger="Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.", -mitre_category="Defense_Evasion", -mitre_technique="", -mitre_technique_id="T1562", -mitre_subtechnique="", -mitre_subtechnique_id="T####.###", -apt="Magic Hound", -mitre_link="https://attack.mitre.org/techniques/T1562/", -creator="Cpl Iverson", -upload_date="2025-01-08", -last_modify_date="2025-01-08", -mitre_version="v16", -priority="" -| `process_create_whitelist` -| eval indextime = _indextime -| convert ctime(indextime) -| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority -| collect `jarvis_index` -``` - -``` -`indextime` (`sysmon` OR `windows`) AND "powershell.exe /c 'auditpol /clear /y'" -| eval hash_sha256= lower(hash_sha256), -hunting_trigger="Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits.", -mitre_category="Defense_Evasion", -mitre_technique="Impair Defenses", -mitre_technique_id="T1562", -mitre_subtechnique="Disable Windows Event Logging", -mitre_subtechnique_id="T1562.002", -apt="Magic Hound", -mitre_link="https://attack.mitre.org/techniques/T1562/002/", -creator="Cpl Iverson", -upload_date="2025-01-08", -last_modify_date="2025-01-08", -mitre_version="v16", -priority="" -| `process_create_whitelist` -| eval indextime = _indextime -| convert ctime(indextime) -| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority -| collect `jarvis_index` -``` - -``` -`indextime` ((`sysmon` EventCode="1") OR (`windows-security` EventCode="4688")) (Image="C:\Windows\System32\sc.exe" (CommandLine="sc config" OR CommandLine="sc stop" OR CommandLine="sc query" )) OR (ServiceName="Windows Defender" OR ServiceName="Windows Firewall" AND ServiceName="stopped*") -| eval hash_sha256= lower(hash_sha256), -hunting_trigger="Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.", -mitre_category="Defense_Evasion", -mitre_technique="Impair Defenses", -mitre_technique_id="T1562", -mitre_subtechnique="Disable or Modify Tools", -mitre_subtechnique_id="T1562.001", -apt="Magic Hound", -mitre_link="https://attack.mitre.org/techniques/T1562/001", -creator="Cpl Iverson", -upload_date="2025-01-08", -last_modify_date="2025-01-08", -mitre_version="v16", -priority="" -| `process_create_whitelist` -| eval indextime = _indextime -| convert ctime(indextime) -| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority -| collect `jarvis_index` -``` - -``` -`indextime` (`sysmon` OR `windows`) AND ("quser.exe" OR "netstat -ano") -| eval hash_sha256= lower(hash_sha256), -hunting_trigger="Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", -mitre_category="Discovery", -mitre_technique="System Network Connections Discovery", -mitre_technique_id="T1049", -mitre_subtechnique="", -mitre_subtechnique_id="", -apt=mvappend("Volt Typhoon","Magic Hound"), -mitre_link="https://attack.mitre.org/techniques/T1049/", -creator="Cpl Iverson", -upload_date="2025-01-08", -last_modify_date="2025-01-08", -mitre_version="v16", -priority="" -| `process_create_whitelist` -| eval indextime = _indextime -| convert ctime(indextime) -| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority -| collect `jarvis_index` -``` - -``` -`indextime` (`sysmon` OR `windows`) AND ("powershell /c 'Compress-Archive" AND "zip") -| eval hash_sha256= lower(hash_sha256), -hunting_trigger="Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", -mitre_category="Discovery", -mitre_technique="System Network Connections Discovery", -mitre_technique_id="T1049", -mitre_subtechnique="", -mitre_subtechnique_id="", -apt="Magic Hound", -mitre_link="https://attack.mitre.org/techniques/T1049/", -creator="Cpl Iverson", -upload_date="2025-01-08", -last_modify_date="2025-01-08", -mitre_version="v16", -priority="" -| `process_create_whitelist` -| eval indextime = _indextime -| convert ctime(indextime) -| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority -| collect `jarvis_index` -``` - -``` -`indextime` (`sysmon` OR `windows`) AND ("schtasks /create /tn" OR "/ru SYSTEM") -| eval hash_sha256= lower(hash_sha256), -hunting_trigger="Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.", -mitre_category="Impact", -mitre_technique="Data Encrypted for Impact", -mitre_technique_id="T1486", -mitre_subtechnique="", -mitre_subtechnique_id="", -apt="Magic Hound", -mitre_link="https://attack.mitre.org/techniques/T1486/", -creator="Cpl Iverson", -upload_date="2025-01-08", -last_modify_date="2025-01-08", -mitre_version="v16", -priority="" -| `process_create_whitelist` -| eval indextime = _indextime -| convert ctime(indextime) -| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority -| collect `jarvis_index` -``` - - - - - - - - - - ------------------------------------------- ------------- SURICATA RULES -------------- ------------------------------------------- - -"mail-newyorker.com" -"news12.com.recover-session-service.site" -