junk/spl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
spl/ben_week_1.md
junk 8f7245dd18 Add ben_week_1.md
2025-01-12 16:04:12 -05:00

12 KiB
Raw Permalink Blame History

[T1566.001] Spearphishing Attachment - Opened

`indextime` `sysmon` event_id=13 registry_key_path="*trustrecords*" OR registry_key_path="*TargetObject=*Software\\Microsoft\\VBA\\7.1\\Common*" 
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="Macro enabled for document",
mitre_category="Initial_Access",
mitre_technique="Phishing",
mitre_technique_id="T1566",
mitre_subtechnique="Spearphishing Attachment", 
mitre_subtechnique_id="T1566.001",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1566/001/",
creator="Cpl Iverson",
last_tested="",
upload_date="2024-01-01",
last_modify_date="2025-01-09",
mitre_version="v16",
priority=""
| `registry_whitelist`
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`

[T1050] New Service - Process

`indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="sc.exe" OR process_name="powershell.exe" OR process_name="cmd.exe") AND (process_command_line="*New-Service*BinaryPathName*" OR process_command_line="*sc*create*binpath*" OR process_command_line="*Get-WmiObject*Win32_Service*create*")
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence.",
mitre_category=mvappend("Persistence","Privilege_Escalation"),
mitre_technique="Create or Modify System Process",
mitre_technique_id="T1543",
mitre_subtechnique="Windows Service", 
mitre_subtechnique_id="T1543.003",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1543/003/",
creator="Cpl Iverson",
upload_date="2024-01-01",
last_modify_date="2025-01-08",
mitre_version="v16",
priority=""
| `process_create_whitelist`
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`

[T1053] Scheduled Task - FileAccess

`indextime` `sysmon` event_id=11 process_path!="C:\\WINDOWS\\system32\\svchost.exe" (file_path="C:\\Windows\\System32\\Tasks\\*" OR file_path="C:\\Windows\\Tasks\\*")
| eval mitre_technique="Scheduled Task"
| eval mitre_technique_id="T1053" 
| eval apt=mvappend("Volt Typhoon")
| `file_create_whitelist`
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path file_path process_guid process_id mitre_category mitre_technique mitre_technique_id hunting_trigger
| collect `jarvis_index`

[T1087.003] Email Account

`indextime` (`sysmon` OR `windows`) AND ('powershell /c' AND ('Get-ADUser -Filter * -Properties EmailAddress' OR 'Select-Object Name, EmailAddress') OR 'powershell /c Get-ADUser')
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).",
mitre_category="Discovery",
mitre_technique="Account Discovery",
mitre_technique_id="T1087",
mitre_subtechnique="Email Account", 
mitre_subtechnique_id="T1087.003",
apt="Magic Hound",
mitre_link="https://attack.mitre.org/techniques/T1087/003",
creator="Cpl Iverson",
upload_date="2025-01-08",
last_modify_date="2025-01-08",
mitre_version="v16",
priority=""
| `process_create_whitelist` 
| eval indextime = _indextime 
| convert ctime(indextime) 
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`

[T1087] Account Discovery - net group

`indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") AND (Image= "\winword.exe" OR Image= "\excel.exe" OR Image= "\powerpnt.exe") AND (CommandLine= "macro" OR CommandLine= "automation" OR CommandLine= "shellcode") AND ParentCommandLine= "open*"
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="Office Application Process Execution",
mitre_category="Execution",
mitre_technique="Exploitation for Client Execution",
mitre_technique_id="T1203",
mitre_subtechnique="",
mitre_subtechnique_id="" 
cve=mvappend("CVE-2020-0938","CVE-2020-1020"),
apt="",
mitre_link="https://attack.mitre.org/techniques/T1203/",
creator="Cpl Iverson",
upload_date="2024-12-11",
last_modify_date="2024-12-11",
mitre_version="v16",
priority=""
| `process_create_whitelist`
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger
| collect `jarvis_index`

[T1010] Application Window Discovery_Analytic_1

`indextime` `powershell` EventCode="4103" | where CommandLine LIKE "%Get-Process%" AND CommandLine LIKE "%mainWindowTitle%"
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="Suspicious Commands",
mitre_category="Discovery",
mitre_technique="Application Window Discovery",
mitre_technique_id="T1010",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt=mvappend("HEXANE","Lazarus Group","Volt Typhoon"),
mitre_link="https://attack.mitre.org/techniques/T1010/",
creator="Cpl Iverson",
last_tested="",
upload_date="2024-12-04",
last_modify_date="2024-12-04",
mitre_version="v16",
priority=""
| `process_create_whitelist`
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority
| collect `jarvis_index`

[T1010] Application Window Discovery_Analytic_2

`indextime` (`sysmon` EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") | where CommandLine LIKE "%Get-Process%" AND CommandLine LIKE "%mainWindowTitle%"
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="Suspicious Processes",
mitre_category="Discovery",
mitre_technique="Application Window Discovery",
mitre_technique_id="T1010",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt=mvappend("HEXANE","Lazarus Group","Volt Typhoon"),
mitre_link="https://attack.mitre.org/techniques/T1010/",
creator="Cpl Iverson",
last_tested="",
upload_date="2024-12-04",
last_modify_date="2024-12-04",
mitre_version="v16",
priority=""
| `process_create_whitelist`
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority
| collect `jarvis_index`

[T1560.001] Archive via Utility

`indextime` (`sysmon` OR `windows`) AND ("powershell /c 'Compress-Archive" AND "zip")
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration.",
mitre_category="Collection",
mitre_technique="Archive Collected Data",
mitre_technique_id="T1560",
mitre_subtechnique="Archive via Utility", 
mitre_subtechnique_id="T1560.001",
apt="Magic Hound",
mitre_link="https://attack.mitre.org/techniques/T1560/001/",
creator="Cpl Iverson",
upload_date="2025-01-08",
last_modify_date="2025-01-08",
mitre_version="v16",
priority=""
| `process_create_whitelist` 
| eval indextime = _indextime 
| convert ctime(indextime) 
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`

[T1560] Archive Collected Data

`indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="powershell.exe" AND process_command_line="*-Recurse | Compress-Archive*") OR (process_name="rar.exe" AND process_command_line="rar*a*") OR process_name="7z.exe" OR process_name="*zip.exe"
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="Command Line Usage of Archiving Software",
mitre_category="Collection",
mitre_technique="Archive Collected Data",
mitre_technique_id="T1560",
mitre_subtechnique="Archive via Utility",
mitre_subtechnique_id="T1560.001",
apt=mvappend("APT1","APT28","APT3","APT33","APT39","APT41","APT5","Agrius","Akira","Aquatic Panda","BRONZE BUTLER","Chimera","CopyKittens","Earth Lusca","FIN13","FIN8","Fox Kitten","GALLIUM","Gallmaker","HAFNIUM","INC Ransom","Ke3chang","Kimsuky","Magic Hound","MuddyWater","Mustang Panda","Play","RedCurl","Sowbug","ToddyCat","Turla","Volt Typhoon","Wizard Spider","menuPass"),
mitre_link="https://attack.mitre.org/techniques/T1560/001/",
creator="Cpl Iverson",
last_tested="",
upload_date="2024-12-04",
last_modify_date="2024-12-04",
mitre_version="v16",
priority=""
| `process_create_whitelist`
| `file_create_whitelist`
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger
| collect `jarvis_index`

[T1560] LOLBAS Chinese APT Creating a 7z Archive in temp

`indextime` `windows-security` AND ((Image="*\\7z.exe" OR OriginalFileName="7z.exe") AND CommandLine="*a -p*" AND CommandLine="*c:\\windows\\temp\\*")
``` name: LOLBAS Chinese APT Creating a 7z Archive in temp ```
``` uuid: 805be6dd-20d2-42dc-b70a-b058ae83002b ```
``` author: SIMKRA, @SIMKRA202 ```
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="Detects the suspicious creation of a 7z achrive into the c:\windows\temp\ folder.",
mitre_category="Collection",
mitre_technique="OS Credential Dumping",
mitre_technique_id="T1560",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="Volt Typhoon",
mitre_link="https://github.com/Schmouni242/Sigma-Rules/blob/main/LOLBAS%20Chinese%20APT%20Creating%20a%207z%20Archive%20in%20temp.yml",
creator="Cpl Iverson",
last_tested="",
upload_date="2025-01-07",
last_modify_date="2025-01-07",
mitre_version="v16",
priority="high"
| `process_create_whitelist`
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority
| collect `jarvis_index`