junk/spl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
spl/splunk/savedsearches1.conf
junk 805841c2f4 Upload files to "splunk"
2025-04-15 16:11:45 -04:00

2318 lines
148 KiB
Plaintext
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

[Logon type 4 Batch Logon]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = 0
dispatchAs = user
display.events.fields = ["host","source","sourcetype","alert.signature","alert.severity","src_ip","src_port","dest_ip","dest_port","alert.category","Account_Domain","Account_Name","Authentication_Package","ComputerName","Creator_Process_Name","Logon_Process","Logon_Type","Privileges","Process_Command_Line","Process_Name","Security_ID","dest","dest_nt_domain","dest_nt_host","event_id","member_dn","member_id","member_nt_domain","name","privilege","privilege_id","process_name","signature","src","src_user","user","body","category"]
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.charting.chart = bar
display.visualizations.show = 0
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = |tstats count from datamodel=event_id.wineventlog_security where wineventlog_security.Logon_Type=4 by wineventlog_security.Account_Name | sort - count
[Logon type 5 windows service logon]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = 0
dispatchAs = user
display.events.fields = ["host","source","sourcetype","alert.signature","alert.severity","src_ip","src_port","dest_ip","dest_port","alert.category","Account_Domain","Account_Name","Authentication_Package","ComputerName","Creator_Process_Name","Logon_Process","Logon_Type","Privileges","Process_Command_Line","Process_Name","Security_ID","dest","dest_nt_domain","dest_nt_host","event_id","member_dn","member_id","member_nt_domain","name","privilege","privilege_id","process_name","signature","src","src_user","user","body","category"]
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.charting.chart = bar
display.visualizations.show = 0
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = |tstats count from datamodel=event_id.wineventlog_security where wineventlog_security.Logon_Type=5 by wineventlog_security.Account_Name | sort + count
[Event_ID_5140_saved_search]
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 13 * * *
description = (Share Accessed) Clone
enableSched = 1
schedule_window = 60
search = `wineventlog-security` EventCode=5140 (Share_Name="*\\C$" OR Share_Name="*D$" OR Share_Name="*E$" OR Share_Name="*F$" OR Share_Name="*U$") NOT Source_Address="::1" | eval DesOnaOon_Sys1=trim(host,"1") | eval DesOnaOon_Sys2=trim(host,"2") | eval Dest_Sys1=lower(DesOnaOon_Sys1) | eval Dest_Sys2=lower(DesOnaOon_Sys2) | rename host AS DesOnaOon | rename Account_Domain AS Domain | where Account_Name!=Dest_Sys1 | where Account_Name!=Dest_Sys2 | stats count values(Domain) AS Domain, values(Source_Address) AS Source_IP, values(DesOnaOon) AS DesOnaOon, dc(DesOnaOon) AS Dest_Count, values(Share_Name) AS Share_Name, values(Share_Path) AS Share_Path by Account_Name
[Event_ID_5156_saved_search]
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 13 * * *
description = (Win FW Connection) changes
enableSched = 1
schedule_window = 60
search = `wineventlog-security` EventCode=5156 NOT (Source_Address="239.255.255.250" OR Source_Address="224.0.0.*" OR Source_Address="::1" OR Source_Address="ff02::*" OR Source_Address="fe80::*" OR Source_Address="255.255.255.255" OR Source_Address=192.168.1.255) NOT (DesOnaOon_Address="127.0.0.1" OR DesOnaOon_Address="239.255.255.250" OR DesOnaOon_Address="*.*.*.255" OR DesOnaOon_Address="224.0.0.25*") NOT (DesOnaOon_Port="0") NOT(ApplicaOon_Name="\\icamsource\\" OR ApplicaOon_Name="*\\bin\\splunkd.exe") | dedup DesOnaOon_Address DesOnaOon_Port | table _Ome, host, ApplicaOon_Name, DirecOon, Source_Address, Source_Port, DesOnaOon_Address, DesOnaOon_Port | sort DirecOon DesOnaOon_Port
[Event_ID_7045_saved_search]
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 13 * * *
description = (New Service Added)
enableSched = 1
schedule_window = 15
search = `wineventlog-system` EventCode=7045 NOT (Service_Name=tenable_mw_scan) | eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0) | table _Ome host Service_Name, Service_Type, Service_Start_Type, Service_Account, Short_Message
[tstats zeek conn stats dest_ip]
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 17 * * *
description = Used in zeek conn stats dashboard
dispatch.earliest_time = 0
enableSched = 1
schedule_window = 120
search = | tstats count from datamodel=Network_Data.All_Traffic by All_Traffic.dest_ip \
| sort - count
[tstats zeek conn stats dest_port]
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 11 * * *
description = Used in zeek conn stats dashboard
dispatch.earliest_time = 0
enableSched = 1
schedule_window = 120
search = | tstats count from datamodel=Network_Data.All_Traffic by All_Traffic.dest_port \
| sort - count
[tstats zeek conn stats ja3]
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 12 * * *
description = Used in zeek conn stats dashboard
dispatch.earliest_time = 0
enableSched = 1
schedule_window = 120
search = | tstats count from datamodel=Network_Data.All_Traffic by All_Traffic.ja3\
| sort - count
[tstats zeek conn stats query]
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 12 * * *
description = Used in zeek conn stats dashboard
dispatch.earliest_time = 0
enableSched = 1
schedule_window = 120
search = | tstats count from datamodel=Network_Data.All_Traffic by All_Traffic.query\
| sort - count
[tstats zeek conn stats src_ip]
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 11 * * *
description = Used in zeek conn stats dashboard
dispatch.earliest_time = 0
enableSched = 1
schedule_window = 120
search = | tstats count from datamodel=Network_Data.All_Traffic by All_Traffic.src_ip \
| sort - count
[tstats zeek conn stats src_port]
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 11 * * *
description = Used in zeek conn stats dashboard
dispatch.earliest_time = 0
enableSched = 1
schedule_window = 120
search = | tstats count from datamodel=Network_Data.All_Traffic by All_Traffic.src_port \
| sort - count
[Crtitcal Process Clone]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = 0
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `sysmon` Image="*\\powershell.exe" OR Image="*\\msbuild.exe" OR Image="*\\psexec.exe" OR Image="*\\at.exe" OR Image="*\\schtasks.exe" OR Image="*\\net.exe" OR Image="*\\vssadmin.exe" OR Image="*\\utilman.exe" OR Image="*\\wmic.exe" OR Image="*\\mshta.exe" OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\cmd.exe" OR Image="*\\whoami.exe" OR Image="*\\mmc.exe" OR Image="*\\systeminfo.exe" OR Image="*\\csvde.exe" OR Image="*\\certutil.exe" | stats values(CommandLine) by Image
workload_pool = undefined
[Event_ID_4624_saved_search]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 13 * * *
description = (Login Success)
dispatch.earliest_time = 0
enableSched = 1
schedule_priority = higher
schedule_window = 60
search = `wineventlog-security` EventCode=4624 NOT (host="DC1" OR host="DC2" OR \
host="DC…") NOT (Account_Name="*$" OR Account_Name="ANONYMOUS LOGON") NOT \
(Account_Name="Service_Account") | eval Account_Domain=(mvindex(Account_Domain,1)) | \
eval Account_Name=if(Account_Name="-",(mvindex(Account_Name,1)), Account_Name) | \
eval Account_Name=if(Account_Name="*$",(mvindex(Account_Name,1)), Account_Name) | \
eval _time=strpTime(_Ome,"%Y/%m/%d %T") | stats count values(Account_Domain) AS \
Domain, values(host) AS Host, dc(host) AS Host_Count, values(Logon_Type) AS Logon_Type, \
values(WorkstaOon_Name) AS WS_Name, values(Source_Network_Address) AS Source_IP, \
values(Process_Name) AS Process_Name by Account_Name | where Host_Count > 2
[Event_ID_4663_saved_search]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 12 * * *
description = ( File/Reg Auditing)
dispatch.earliest_time = -7d@h
dispatch.latest_time = now
enableSched = 1
schedule_window = 15
search = `wineventlog-security` EventCode=4663 NOT (Process_Name="*\\
\Windows\\servicing\\TrustedInstaller.exe" OR "*\\Windows\\System32\\poqexec.exe") NOT \
(Object_Name="*\\Users\\svc_acct\\pnp" OR Object_Name="C:\\Users\\Surf\\AppData\\
\Local\\Google\\Chrome\\User Data*" NOT Object_Name="C:\\Users\\Surf\\AppData\\
\Roaming\\MicrosoW\\Windows\\Recent\\CustomDesOnaOons") NOT (Object_Name="C:\\
\Windows\\System32\\LogFiles\\*" OR Object_Name="*ProgramData\\MicrosoW\\RAC\\*" \
OR Object_Name="*\\MicrosoW\\Windows\\Explorer\\thumbcache*" OR \
Object_Name="*.MAP" OR Object_Name="*counters.dat" OR Object_Name="*\\Windows\\
\Gatherlogs\\SystemIndex\\*") | rename Process_Name as Created_By | table _Ome, Computer, \
EventID, SubjectUserName Caller_Domain src_user dest file_name file_path Keyword process
[Event_ID_4688_exe_saved_search]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 13 * * *
description = New processes started with suspicious exe files
dispatch.earliest_time = 0
enableSched = 1
schedule_window = auto
search = `wineventlog-security` (EventCode=4688) NOT (Account_Name=*$) (at.exe OR bcdedit.exe OR chcp.exe OR cmd.exe OR cscript.exe OR ipconfig.exe OR mimikatz.exe OR nbtstat.exe OR nc.exe OR netcat.exe OR netstat.exe OR nmap OR nslookup.exe OR bcp.exe OR sqlcmd.exe OR OSQL.exe OR ping.exe OR powershell.exe OR powercat.ps1 OR psexec.exe OR psexecsvc.exe OR psLoggedOn.exe OR procdump.exe OR rar.exe OR reg.exe OR route.exe OR runas.exe OR sc.exe OR schtasks.exe OR sethc.exe OR ssh.exe OR sysprep.exe OR systeminfo.exe OR system32\\net.exe OR tracert.exe OR vssadmin.exe OR whoami.exe OR winrar.exe OR wscript.exe OR winrm.* OR winrs.* OR wmic.exe OR wsmprovhost.exe) | eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0) |\
table Computer, SubjectUserName, ParentProcessName, ProcessID, Process_Command_Line , NewProcessName, NewProcessId, Short_Message
[Event_ID_4688_saved_search]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 13 * * *
description = powershell commands
dispatch.earliest_time = -7d@h
dispatch.latest_time = now
enableSched = 1
schedule_priority = highest
schedule_window = 120
search = `wineventlog-security` (EventCode=4688) (powershell* AND -ExecuOonPolicy) OR(powershell* AND bypass) OR (powershell* AND -noprofile) | eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0) | table Computer, TargetUserName, process_exec, ParentProcessName, ProcessId, Process_Command_Line, NewProcessName, NewProcessId, Creator_Process_ID, Short_Message
[[T0000] Connections from Uncommon Locations]
action.webhook.enable_allowlist = 0
enableSched = 1
search = `index_time` `sysmon` EventID=3 (process_path="C:\\user_names\\*" OR process_path="C:\\ProgramData\\*" OR process_path="C:\\Windows\\Temp\\*" OR process_path="C:\\Temp\\*") initiated=true \
| eval mitre_category="Lateral_Movement,Execution"\
| eval mitre_technique="Connections from Uncommon Locations"\
| eval mitre_technique_id="T0000" \
| `network_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn user_name process_path process_id process_guid src_ip dst_ip dst_port src_host_name dst_host_name initiated transport mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T0000] Console History]
action.webhook.enable_allowlist = 0
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_command_line="*Get-History*" OR process_command_line="*AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt*" OR process_command_line="*(Get-PSReadlineOption).HistorySavePath*") \
| eval mitre_category="Collection"\
| eval mitre_technique="Console History"\
| eval mitre_technique_id="T0000" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T0000] Named Pipes - CobaltStrike]
action.webhook.enable_allowlist = 0
cron_schedule = 5-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=17 pipe_name="*msagent_*" \
| eval hunting_trigger="default CobaltStrike pipe name"\
| eval mitre_category="Lateral_Movement"\
| eval mitre_technique="Named Pipes"\
| eval mitre_technique_id="T0000" \
| `pipe_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description host_fqdn pipe_name process_path process_guid process_id mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T0000] Remotely Query Login Sessions - Network]
action.webhook.enable_allowlist = 0
cron_schedule = 4-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=3 (process_name="qwinsta.exe")\
| eval mitre_category="Discovery"\
| eval mitre_technique="Remotely Query Login Sessions"\
| eval mitre_technique_id="T0000" \
| `network_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn user_name process_path process_id process_guid src_ip dst_ip dst_port src_host_name dst_host_name initiated transport mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T0000] Named Pipes]
action.webhook.enable_allowlist = 0
cron_schedule = 6-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=17 (pipe_name="*isapi_http*" OR pipe_name="*isapi_dg*" OR pipe_name="*isapi_dg2*" OR pipe_name="*isapi_http*" OR pipe_name="*sdlrpc*" OR pipe_name="*aheec*" OR pipe_name="*winsession*" OR pipe_name="*lsassw*" OR pipe_name="*rpchlp_3*" OR pipe_name="*NamePipe_MoreWindows*" OR pipe_name="*pcheap_reuse*" OR pipe_name="*PSEXESVC*" OR pipe_name="*PowerShellISEPipeName_*" OR pipe_name="*csexec*" OR pipe_name="*paexec*" OR pipe_name="*remcom*") \
| eval hunting_trigger="suspicious or known bad pipe names"\
| eval mitre_category="Lateral_Movement"\
| eval mitre_technique="Named Pipes"\
| eval mitre_technique_id="T1077" \
| `pipe_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description host_fqdn pipe_name process_path process_guid process_id mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T0000] Suspicious filename used]
action.webhook.enable_allowlist = 0
cron_schedule = 4-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name=a.exe OR process_name=b.exe OR process_name=c.exe OR process_name=d.exe OR process_name=e.exe OR process_name=f.exe OR process_name=g.exe OR process_name=h.exe OR process_name=i.exe OR process_name=j.exe OR process_name=k.exe OR process_name=l.exe OR process_name=m.exe OR process_name=n.exe OR process_name=o.exe OR process_name=p.exe OR process_name=q.exe OR process_name=r.exe OR process_name=s.exe OR process_name=t.exe OR process_name=u.exe OR process_name=v.exe OR process_name=w.exe OR process_name=x.exe OR process_name=y.exe OR process_name=z.exe OR process_name=1.exe OR process_name=2.exe OR process_name=3.exe OR process_name=4.exe OR process_name=5.exe OR process_name=6.exe OR process_name=7.exe OR process_name=8.exe OR process_name=9.exe OR process_name=0.exe OR process_name=10.exe) \
| eval hunting_trigger="single character filename"\
| eval mitre_category="Execution"\
| eval mitre_technique="Suspicious filename"\
| eval mitre_technique_id="T0000" \
| eval hash_sha256= lower(hash_sha256) \
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid file_description mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T0000] Remotely Query Login Sessions - Process]
action.webhook.enable_allowlist = 0
cron_schedule = 3-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="qwinsta.exe")\
| eval mitre_category="Discovery"\
| eval mitre_technique="Remotely Query Login Sessions"\
| eval mitre_technique_id="T0000" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1002] Data Compressed]
action.webhook.enable_allowlist = 0
cron_schedule = 14-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="powershell.exe" AND process_command_line="*-Recurse | Compress-Archive*") OR (process_name="rar.exe" AND process_command_line="rar*a*") OR process_name="7z.exe" OR process_name="*zip.exe"\
| eval mitre_category="Exfiltration"\
| eval mitre_technique="Data Compressed"\
| eval mitre_technique_id="T1002" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1002] Data Compressed - Files]
action.webhook.enable_allowlist = 0
cron_schedule = 9-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=11 (file_name="*.zip" OR file_name="*.rar" OR file_name="*.arj" OR file_name="*.gz" OR file_name="*.tar" OR file_name="*.tgz" OR file_name="*.7z" OR file_name="*.zip" OR file_name="*.tar.gz" OR file_name="*.bin") \
| eval mitre_category="Exfiltration"\
| eval mitre_technique="Data Compressed"\
| eval mitre_technique_id="T1002" \
| `file_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path process_guid process_id file_name file_path mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1003] Credential Dumping - Process Access]
action.webhook.enable_allowlist = 0
cron_schedule = 7-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` (EventID=10) (target_process_path="C:\\Windows\\system32\\lsass.exe") AND (process_granted_access=0x1010 OR process_granted_access=0x1410 OR process_granted_access=0x147a OR process_granted_access=0x143a) process_call_trace="C:\\Windows\\SYSTEM32\\ntdll.dll\*|C:\\Windows\\system32\\KERNELBASE.dll*|UNKNOWN(*)"\
| eval hunting_trigger="Potentially Mimikatz"\
| eval mitre_category="Credential_Access"\
| eval mitre_technique="Credential Dumping"\
| eval mitre_technique_id="T1003" \
| `process_access_whitelist` \
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path target_process_path process_granted_access process_guid target_process_guid process_id target_process_id process_granted_access_description mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1003] Credential Dumping - Registry]
action.webhook.enable_allowlist = 0
cron_schedule = 8-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` (EventID=12 OR EventID=13 OR EventID=14) process_path!="C:\\WINDOWS\\system32\\lsass.exe" (registry_key_path="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Provider\\*" OR registry_key_path="*\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\*" OR registry_key_path="*\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SecurityProviders\\*" OR registry_key_path="*\\Control\\SecurityProviders\\WDigest\\*") NOT registry_key_path="*\\Lsa\\RestrictRemoteSamEventThrottlingWindow" NOT registry_key_path="*\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\nolmhash" \
| eval mitre_category="Credential_Access"\
| eval mitre_technique="Credential Dumping"\
| eval mitre_technique_id="T1003" \
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1003] Credential Dumping - Registry Save]
action.webhook.enable_allowlist = 0
cron_schedule = 11-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) process_name=reg.exe (process_command_line="*save*HKLM\\sam*" OR process_command_line="*save*HKLM\\system*") \
| eval hunting_trigger="Reg dump SAM/System db"\
| eval mitre_category="Credential_Access"\
| eval mitre_technique="Credential Dumping"\
| eval mitre_technique_id="T1003" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1003] Credential Dumping - Process]
action.webhook.enable_allowlist = 0
cron_schedule = 7-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) process_command_line="*Invoke-Mimikatz -DumpCreds*" OR process_command_line="gsecdump* -a" OR process_command_line="wce* -o" OR process_command_line="procdump* -ma lsass.exe*" OR process_command_line="ntdsutil*ac i ntds*ifm*create full"\
| eval mitre_category="Credential_Access"\
| eval mitre_technique="Credential Dumping"\
| eval mitre_technique_id="T1003" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1003] Credential Dumping ImageLoad]
action.webhook.enable_allowlist = 0
cron_schedule = 5-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=7 (driver_loaded="C:\\Windows\\System32\\samlib.dll" OR driver_loaded="C:\\Windows\\System32\\WinSCard.dll" OR driver_loaded="C:\\Windows\\System32\\cryptdll.dll" OR driver_loaded="C:\\Windows\\System32\\hid.dll" OR driver_loaded="C:\\Windows\\System32\\vaultcli.dll") (process_path!="*\\Sysmon.exe" process_path!="*\\svchost.exe" process_path!="*\\logonui.exe")\
| transaction process_guid maxspan=5s\
| eval keep = mvcount(driver_loaded)\
| search keep > 3\
| eval hunting_trigger="Probably Mimikatz"\
| eval mitre_category="Credential_Access"\
| eval mitre_technique="Credential Dumping"\
| eval mitre_technique_id="T1003" \
| `image_load_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path driver_loaded driver_is_signed driver_signature driver_signature_status process_id process_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1004] Winlogon Helper DLL]
action.webhook.enable_allowlist = 0
cron_schedule = 11-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` (EventID=12 OR EventID=13 OR EventID=14) (registry_key_path="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\user_nameinit\\*" OR registry_key_path="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*" OR registry_key_path="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\*") \
| eval mitre_category="Persistence"\
| eval mitre_technique="Winlogon Helper DLL"\
| eval mitre_technique_id="T1004" \
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1012] Query Registry - Network]
action.webhook.enable_allowlist = 0
cron_schedule = 12-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=3 (process_name="reg.exe" AND process_command_line="*reg* query*") \
| eval mitre_category="Discovery"\
| eval mitre_technique="Query Registry"\
| eval mitre_technique_id="T1012" \
| `network_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn user_name process_path process_id process_parent_id process_command_line process_guid src_ip dst_ip dst_port src_host_name dst_host_name mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1007] System Service Discovery]
action.webhook.enable_allowlist = 0
cron_schedule = 1-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="net.exe" OR process_name="tasklist.exe" OR process_name="sc.exe" OR process_name="wmic.exe") AND (process_command_line="*net* start*" OR process_command_line="*tasklist \/svc*" OR process_command_line="*sc* query*" OR process_command_line="wmic* service where*") \
| eval mitre_category="Discovery"\
| eval mitre_technique="System Service Discovery"\
| eval mitre_technique_id="T1007" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1012] Query Registry - Process]
action.webhook.enable_allowlist = 0
cron_schedule = 13-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="reg.exe" AND process_command_line="*reg* query*") \
| eval mitre_category="Discovery"\
| eval mitre_technique="Query Registry"\
| eval mitre_technique_id="T1012" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1013] Local Port Monitor]
action.webhook.enable_allowlist = 0
cron_schedule = 10-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` (EventID=12 OR EventID=13 OR EventID=14) (registry_key_path="*\\SYSTEM\CurrentControlSet\Control\Print\Monitors\\*") \
| eval mitre_category="Persistence,Privilege_Escalation"\
| eval mitre_technique="Local Port Monitor"\
| eval mitre_technique_id="T1013" \
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1015] Accessibility Features]
action.webhook.enable_allowlist = 0
cron_schedule = 11-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=1 process_parent_name="winlogon.exe" (process_name="sethc.exe" OR process_name="utilman.exe" OR process_name="osk.exe" OR process_name="magnify.exe" OR process_name="displayswitch.exe" OR process_name="narrator.exe" OR process_name="atbroker.exe") \
| eval mitre_category="Persistence,Privilege_Escalation"\
| eval mitre_technique="Accessibility Features"\
| eval mitre_technique_id="T1015" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1016] System Network Configuration Discovery]
action.webhook.enable_allowlist = 0
cron_schedule = 7-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="net.exe" AND process_command_line="*net* config*") OR (process_name="ipconfig.exe" OR process_name="netsh.exe" OR process_name="arp.exe" OR process_name="nbtstat.exe") \
| eval mitre_category="Discovery" \
| eval mitre_technique="System Network Configuration Discovery" \
| eval mitre_technique_id="T1016" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1018] Remote System Discovery - Network]
action.webhook.enable_allowlist = 0
cron_schedule = 6-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=3 (process_name="net.exe" OR process_name="ping.exe")\
| eval mitre_category="Discovery" \
| eval mitre_technique="Remote System Discovery" \
| eval mitre_technique_id="T1018" \
| `network_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn user_name process_path process_id process_parent_id process_command_line process_guid src_ip dst_ip dst_port src_host_name dst_host_name mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1027] Obfuscated Files or Information]
action.webhook.enable_allowlist = 0
cron_schedule = 11-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="certutil.exe" AND process_command_line="*encode*") OR process_command_line="*ToBase64String*"\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="Obfuscated Files or Information"\
| eval mitre_technique_id="T1027" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1028] Windows Remote Management]
action.webhook.enable_allowlist = 0
cron_schedule = 4-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="wsmprovhost.exe" OR process_name="winrm.cmd" OR process_command_line="*Enable-PSRemoting -Force*" OR process_command_line="*Invoke-Command -computer_name*" process_command_line="wmic*node*process call create*")\
| eval mitre_category="Lateral_Movement,Execution"\
| eval mitre_technique="Windows Remote Management"\
| eval mitre_technique_id="T1028" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1031] Modify Existing Service]
action.webhook.enable_allowlist = 0
cron_schedule = 7-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="sc.exe" OR process_name="powershell.exe" OR process_name="cmd.exe") AND (process_command_line="*sc*config*binpath*")\
| eval mitre_category="Persistence"\
| eval mitre_technique="Modify Existing Service"\
| eval mitre_technique_id="T1031" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1033] System Owner/User Discovery]
action.webhook.enable_allowlist = 0
cron_schedule = 3-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="whoami.exe" OR process_command_line="*whoami*" OR process_command_line="wmic* useraccount get /ALL" OR process_name="qwinsta.exe" OR process_name="quser.exe")\
| eval mitre_category="Discovery"\
| eval mitre_technique="System Owner/User Discovery"\
| eval mitre_technique_id="T1033" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1033] System Owner/User Discovery - Network]
action.webhook.enable_allowlist = 0
cron_schedule = 7-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=3 (dest_port=389 OR dest_port=636 OR dest_port=445 OR dest_port=8080) \
| transaction process_guid maxspan=600s \
| eval target_hosts=mvcount(dest_ip) \
| where target_hosts>5 \
| eval mitre_category="Discovery"\
| eval mitre_technique="System Owner/User Discovery"\
| eval hunting_trigger="connections to multiple systems, possibly blood/sharphound"\
| eval mitre_technique_id="T1069" \
| `network_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn user_name process_path process_id process_parent_id process_command_line process_guid src_ip dst_ip dst_port src_host_name dst_host_name mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1018] Remote System Discovery - Process]
action.webhook.enable_allowlist = 0
cron_schedule = 5-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="net.exe" OR process_name="ping.exe") AND (process_command_line="*net* view*" OR process_command_line="*ping *")\
| eval mitre_category="Discovery" \
| eval mitre_technique="Remote System Discovery" \
| eval mitre_technique_id="T1018" \
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1036] Masquerading - Extension]
action.webhook.enable_allowlist = 0
cron_schedule = 9-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="*.doc.*" OR process_name="*.docx.*" OR process_name="*.xls.*" OR process_name="*.xlsx.*" OR process_name="*.pdf.*" OR process_name="*.rtf.*" OR process_name="*.jpg.*" OR process_name="*.png.*" OR process_name="*.jpeg.*" OR process_name="*.zip.*" OR process_name="*.rar.*" OR process_name="*.ppt.*" OR process_name="*.pptx.*")\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="Masquerading"\
| eval hunting_trigger="Malware masquarading as a document"\
| eval mitre_technique_id="T1036" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1036] Masquerading - Location]
action.webhook.enable_allowlist = 0
cron_schedule = 11-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=11 (file_path="*SysWOW64*" OR file_path="*System32*" OR file_path="*AppData*") AND (file_name="*.exe" OR file_name="*.dll" OR file_name="*.bat" OR file_name="*.com" OR file_name="*.ps1" OR file_name="*.py" OR file_name="*.js" OR file_name="*.vbs" OR file_name="*.hta") \
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="Masquerading"\
| eval hunting_trigger="Executable file write in trusted location"\
| eval mitre_technique_id="T1036" \
| `file_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path process_guid process_id file_name file_path mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1036] Masquerading - explorer]
action.webhook.enable_allowlist = 0
cron_schedule = 7-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="explorer.exe" AND process_parent_name!="userinit.exe") \
| eval hunting_trigger="parent child mismatch"\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="Masquerading"\
| eval mitre_technique_id="T1036" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1036] Masquerading - renamedbin]
action.webhook.enable_allowlist = 0
cron_schedule = 8-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=1 | eval process_name=lower(process_name) | eval original_file_name=lower(original_file_name) | where process_name!=original_file_name \
| eval hunting_trigger="Renamed binary"\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="Masquerading"\
| eval mitre_technique_id="T1036" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1036] Masquerading - svchost]
action.webhook.enable_allowlist = 0
cron_schedule = 6-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="svchost.exe" AND process_parent_name!="services.exe") OR process_name="scvhost.exe" \
| eval hunting_trigger="parent child mismatch"\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="Masquerading"\
| eval mitre_technique_id="T1036" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1037] Logon Scripts]
action.webhook.enable_allowlist = 0
cron_schedule = 5-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_command_line="*REG*ADD*HKCU\\Environment*UserInitMprLogonScript*")\
| eval mitre_category="Lateral_Movement,Persistence"\
| eval mitre_technique="Logon Scripts"\
| eval mitre_technique_id="T1037" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1040] Network Sniffing]
action.webhook.enable_allowlist = 0
cron_schedule = 6-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="tshark.exe" OR process_name="windump.exe" OR process_name="logman.exe" OR process_name="tcpdump.exe" OR process_name="wprui.exe" OR process_name="wpr.exe")\
| eval mitre_category="Credential_Access,Discovery"\
| eval mitre_technique="Network Sniffing"\
| eval mitre_technique_id="T1040" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1040] Network Sniffing - Packet Capture Tools]
action.webhook.enable_allowlist = 0
cron_schedule = 11-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="pktmon.exe" OR process_name="tcpdump.exe") OR (original_file_name="pktmon.exe" OR original_file_name="tcpdump.exe") OR (process_name="netsh.exe" AND process_command_line="*trace start capture=yes*")\
| eval hunting_trigger="packet capture tool"\
| eval mitre_category="Discovery,Credential_Access"\
| eval mitre_technique="Masquerading"\
| eval mitre_technique_id="T1040" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1040] Network Sniffing - Process]
action.webhook.enable_allowlist = 0
cron_schedule = 5-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) ((process_name="netsh.exe" AND process_command_line="*trace*start*capture=yes*") OR process_name="tshark.exe" OR process_name="wireshark.exe")\
| eval mitre_category="Credential_Access,Discovery"\
| eval mitre_technique="Network Sniffing"\
| eval mitre_technique_id="T1128" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1042] Change Default File Association]
action.webhook.enable_allowlist = 0
cron_schedule = 7-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` (EventID=12 OR EventID=13 OR EventID=14) (registry_key_path="*\\SOFTWARE\\Classes\\*\\*" OR registry_key_path="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\GlobalAssocChangedCounter")\
| eval mitre_category="Persistence"\
| eval mitre_technique="Change Default File Association"\
| eval mitre_technique_id="T1042" | transaction maxspan=1s process_id\
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1043] Commonly Used Port]
action.webhook.enable_allowlist = 0
cron_schedule = 5-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=3 (dst_port="22" OR dst_port="23" OR dst_port="25" OR dst_port="135" OR dst_port="3389" OR dst_port="5800" OR dst_port="5900" OR dst_port="8080") initiated=true\
| eval mitre_category="Command_and_Control"\
| eval mitre_technique="Commonly Used Port"\
| eval mitre_technique_id="T1043" \
| `network_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn user_name process_path process_id process_guid src_ip dst_ip dst_port src_host_name dst_host_name initiated transport mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1044] File System Permissions Weakness]
action.webhook.enable_allowlist = 0
cron_schedule = 8-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=7 (driver_loaded="*\\Temp\\*" OR driver_loaded="C:\\Users\\*" OR driver_signature_status!="Valid") \
| eval hunting_trigger="Drivers from Temp or Unsigned"\
| eval mitre_category="Persistence,Privilege_Escalation"\
| eval mitre_technique="File System Permissions Weakness"\
| eval mitre_technique_id="T1044" \
| `image_load_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path driver_loaded driver_is_signed driver_signature driver_signature_status process_id process_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1047] WMI command execution]
action.webhook.enable_allowlist = 0
cron_schedule = 14-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=20 wmi_consumer_type="Command Line" \
| eval hunting_trigger="WMI command execution" \
| eval mitre_category="Lateral_Movement"\
| eval mitre_technique="Windows_Management_Instrumentation"\
| eval mitre_technique_id = "T1047" \
| eval hash_sha256= lower(hash_sha256)\
| `wmi_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn user_name wmi_consumer_name wmi_consumer_destination mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process]
action.webhook.enable_allowlist = 0
cron_schedule = 14-59/60 * * * *
enableSched = 1
[[T1047] Windows Management Instrumentation - Network]
action.webhook.enable_allowlist = 0
cron_schedule = 13-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=3 (process_name="wmic.exe" OR process_command_line="*wmic* ")\
| eval mitre_category="Execution" \
| eval mitre_technique="Windows Management Instrumentation" \
| eval mitre_technique_id="T1047" \
| `network_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn user_name process_path process_id process_parent_id process_command_line process_guid src_ip dst_ip dst_port src_host_name dst_host_name mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1047] Windows Management Instrumentation - Process]
action.webhook.enable_allowlist = 0
cron_schedule = 12-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_parent_path="*\\wmiprvse.exe" OR process_name="wmic.exe" OR process_command_line="*wmic* ") \
| eval mitre_category="Execution" \
| eval mitre_technique="Windows Management Instrumentation" \
| eval mitre_technique_id="T1047" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1049] System Network Connections Discovery]
action.webhook.enable_allowlist = 0
cron_schedule = 4-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="net.exe" OR process_name="netstat.exe") AND (process_command_line="*net* use*" OR process_command_line="*net* sessions*" OR process_command_line="*net* file*" OR process_command_line="*netstat*") OR process_command_line="*Get-NetTCPConnection*"\
| eval mitre_category="Discovery"\
| eval mitre_technique="System Network Connections Discovery"\
| eval mitre_technique_id="T1049" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1050] New Service - Process]
action.webhook.enable_allowlist = 0
cron_schedule = 8-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="sc.exe" OR process_name="powershell.exe" OR process_name="cmd.exe") AND (process_command_line="*New-Service*BinaryPathName*" OR process_command_line="*sc*create*binpath*" OR process_command_line="*Get-WmiObject*Win32_Service*create*")\
| eval mitre_category="Persistence,Privilege_Escalation,Execution"\
| eval mitre_technique="New Service"\
| eval mitre_technique_id="T1050" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1053] Scheduled Task - FileAccess]
action.webhook.enable_allowlist = 0
cron_schedule = 9-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=11 process_path!="C:\\WINDOWS\\system32\\svchost.exe" (file_path="C:\\Windows\\System32\\Tasks\\*" OR file_path="C:\\Windows\\Tasks\\*") \
| eval mitre_category="Persistence,Privilege_Escalation,Execution"\
| eval mitre_technique="Scheduled Task"\
| eval mitre_technique_id="T1053" \
| `file_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path file_path process_guid process_id mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1053] Scheduled Task - Process]
action.webhook.enable_allowlist = 0
cron_schedule = 8-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="taskeng.exe" OR process_name="schtasks.exe" OR process_name="svchost.exe" process_parent_path!="C:\\Windows\\System32\\services.exe") \
| eval mitre_technique_id="T1053" \
| eval mitre_category="Persistence,Privilege_Escalation,Execution"\
| eval mitre_technique="Scheduled Task"\
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1054] Indicator Blocking - Driver unloaded]
action.webhook.enable_allowlist = 0
cron_schedule = 7-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="fltmc.exe" OR process_command_line="*fltmc*unload*")\
| eval hunting_trigger="Unknown Sysmon Config loaded"\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="Indicator Blocking"\
| eval mitre_technique_id="T1054" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1054] Indicator Blocking - Sysmon registry edited from other source]
action.webhook.enable_allowlist = 0
cron_schedule = 4-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` (EventID=12 OR EventID=13 OR EventID=14) (registry_key_path="HKLM\\System\\CurrentControlSet\\Services\\SysmonDrv\\*" OR registry_key_path="HKLM\\System\\CurrentControlSet\\Services\\Sysmon\\*" OR registry_key_path="HKLM\\System\\CurrentControlSet\\Services\\Sysmon64\\*") process_name!="Sysmon64.exe" process_name!="Sysmon.exe" \
| eval hunting_trigger="Sysmon registry edited from other source"\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="Indicator Blocking"\
| eval mitre_technique_id="T1054" \
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1054] Indicator Blocking - Unknown Sysmon Config loaded]
action.webhook.enable_allowlist = 0
cron_schedule = 7-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=16 NOT [|inputlookup trusted-sysmon-configurations.csv | fields hash_sha1]\
| eval hunting_trigger="Unknown Sysmon Config loaded"\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="Indicator Blocking"\
| eval mitre_technique_id = "T1054"\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime host_fqdn sysmon_configuration hash_sha1 mitre_category mitre_technique mitre_technique_id hunting_trigger\
| rename hash_sha1 as "Unknown HASH"\
| collect `jarvis_index`
[[T1055] Process Injection]
action.webhook.enable_allowlist = 0
cron_schedule = 9-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=8 (StartFunction="*LoadLibrary*") \
| eval mitre_category="Privilege_Escalation,Defense_Evasion"\
| eval mitre_technique="Process Injection"\
| eval mitre_technique_id = "T1055"\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_name target_process_path target_process_address thread_new_id process_guid process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1055] Process Injection - CobaltStrike]
action.webhook.enable_allowlist = 0
cron_schedule = 10-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=8 target_process_address=0x*0B80\
| eval hunting_trigger="CobaltStrike injection"\
| eval mitre_category="Privilege_Escalation,Defense_Evasion"\
| eval mitre_technique="Process Injection"\
| eval mitre_technique_id = "T1055"\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_name target_process_path target_process_address thread_new_id process_guid process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1055] Process Injection - Process]
action.webhook.enable_allowlist = 0
cron_schedule = 11-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) process_command_line="*Invoke-DllInjection*" OR process_command_line="*c:\\windows\sysnative\\*" \
| eval mitre_category="Privilege_Escalation,Defense_Evasion"\
| eval mitre_technique="Process Injection"\
| eval mitre_technique_id="T1055" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1060] Registry Run Keys or Start Folder]
action.webhook.enable_allowlist = 0
cron_schedule = 5-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` (EventID=12 OR EventID=13 OR EventID=14) (registry_key_path="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run*" OR registry_key_path="*\\Software\\Microsoft\\Windows\\CurrentVersion\Explorer\\*Shell Folders") \
| eval mitre_category="Persistence"\
| eval mitre_technique="Registry Run Keys or Start Folder"\
| eval mitre_technique_id="T1060" \
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1060] Registry Run Keys or Start Folder - Folder Changed]
action.webhook.enable_allowlist = 0
cron_schedule = 13-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=13 registry_key_path="HKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup" AND registry_key_details!="*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" \
| eval mitre_category="Persistence"\
| eval mitre_technique="Registry Run Keys or Start Folder"\
| eval hunting_trigger="User start folder changed"\
| eval mitre_technique_id="T1060" \
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1063] Security Software Discovery]
action.webhook.enable_allowlist = 0
cron_schedule = 7-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="netsh.exe" OR process_name="reg.exe" OR process_name="tasklist.exe") AND (process_command_line="*reg* query*" OR process_command_line="*tasklist *" OR process_command_line="*netsh*" OR process_command_line="*fltmc*|*findstr*")\
| eval mitre_category="Discovery"\
| eval mitre_technique="Security Software Discovery"\
| eval mitre_technique_id="T1063" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1069] Permission Groups Discovery - Network]
action.webhook.enable_allowlist = 0
cron_schedule = 3-15/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=3 (process_name="net.exe" or process_name="net1.exe")\
| eval mitre_category="Discovery" \
| eval mitre_technique="Permission Groups Discovery" \
| eval mitre_technique_id="T1069" \
| `network_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description host_fqdn user_name process_path process_id process_parent_id process_command_line process_guid src_ip dst_ip dst_port src_host_name dst_host_name mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1069] Permission Groups Discovery - Process]
action.webhook.enable_allowlist = 0
cron_schedule = 8-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) process_name="net.exe" AND (process_command_line="*net* user*" OR process_command_line="*net* group*" OR process_command_line="*net* localgroup*" OR process_command_line="*get-localgroup*" OR process_command_line="*get-ADPrinicipalGroupMembership*")\
| eval mitre_category="Discovery"\
| eval mitre_technique="Permission Groups Discovery"\
| eval mitre_technique_id="T1069" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1070] Indicator Removal on Host]
action.webhook.enable_allowlist = 0
cron_schedule = 1-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="wevtutil.exe" OR process_command_line="*wevtutil* cl*")\
| eval mitre_category="Defense_Evasion" \
| eval mitre_technique="Indicator Removal on Host" \
| eval mitre_technique_id="T1070" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1071] Standard Application Layer Protocol]
action.webhook.enable_allowlist = 0
cron_schedule = 10-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=22 [| inputlookup doh.csv] \
| eval mitre_category="Command_and_Control"\
| eval mitre_technique="Standard Application Layer Protocol"\
| eval hunting_trigger="DNS over HTTPS used" \
| eval mitre_technique_id="T1071" \
| eval event_description="DNS Query" | `dns_whitelist` | table _time indextime event_description host_fqdn process_path query_name query_status query_results process_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1073] DLL Side-Loading - WMI]
action.webhook.enable_allowlist = 0
cron_schedule = 4-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=7 (driver_loaded="wmiutils.dll") (process_path!="C:\\Windows\\*")\
| eval hunting_trigger="Possibly non-legit WMI use"\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="DLL Side-Loading"\
| eval mitre_technique_id="T1073" \
| `image_load_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path driver_loaded driver_is_signed driver_signature driver_signature_status process_id process_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1074] Data Staged - Process]
action.webhook.enable_allowlist = 0
cron_schedule = 9-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_command_line="*DownloadString*" AND process_command_line="*Net.WebClient*" process_command_line="*New-Object*" AND process_command_line="*IEX*") \
| eval mitre_category="Collection"\
| eval mitre_technique="Data Staged"\
| eval mitre_technique_id="T1074" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1075] Pass the Hash NULL SID]
action.webhook.enable_allowlist = 0
cron_schedule = 4-59/60 * * * *
enableSched = 1
search = `index_time` `windows-security` EventID=4624 AND ((Security_ID="NULL SID" OR Security_ID="S-1-0-0") AND (Logon_Type="3") AND (Source_Network_Address != "*::1*") AND (Logon_Process="*NtLmSsp") AND (Package_Name__NTLM_only_="*NTLM V2") AND (Key_Length="0") AND (user != "*ANONYMOUS LOGON" OR Account_Name != "*ANONYMOUS LOGON")) \
| eval hunting_trigger="NULL SID used"\
| eval mitre_category="Lateral_Movement"\
| eval mitre_technique="Pass the Hash"\
| eval mitre_technique_id="T1075"\
| eval target_user_name=mvindex(Account_Name,1) \
| eval user_name=mvindex(Account_Name,0) \
| eval target_user_domain=mvindex(Account_Domain,1) \
| rename ComputerName as host_fqdn, Source_Network_Address as src_ip, Workstation_Name as src_host_name \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime,host_fqdn, user_sid, user_name src_host_name src_ip target_user_name target_user_domain mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1076] Remote Desktop Protocol - Network]
action.webhook.enable_allowlist = 0
cron_schedule = 9-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=3 (process_path="*\\tscon.exe" OR process_name="mstsc.exe") OR dst_port=3389 initiated=true\
| eval mitre_category="Lateral_Movement" \
| eval mitre_technique="Remote Desktop Protocol" \
| eval mitre_technique_id="T1076" \
| `network_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn user_name process_path process_id process_parent_id process_command_line process_guid src_ip dst_ip dst_port src_host_name dst_host_name mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1076] Remote Desktop Protocol - Process]
action.webhook.enable_allowlist = 0
cron_schedule = 8-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="tscon.exe" OR process_name="mstsc.exe") \
| eval mitre_category="Lateral_Movement" \
| eval mitre_technique="Remote Desktop Protocol" \
| eval mitre_technique_id="T1076" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1076] Remote Desktop Protocol - Registry]
action.webhook.enable_allowlist = 0
cron_schedule = 10-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` (EventID=12 OR EventID=13 OR EventID=14) (process_path="C:\\Windows\\system32\\LogonUI.exe" OR registry_key_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\*") \
| eval mitre_category="Lateral_Movement" \
| eval mitre_technique="Remote Desktop Protocol" \
| eval mitre_technique_id="T1076" \
| eval hunting_trigger="RDP logon" \
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1077] Windows Admin Shares - Network]
action.webhook.enable_allowlist = 0
cron_schedule = 11-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=3 (process_name="net.exe") AND (process_command_line="*net* use*$" OR process_command_line="*net* session*$" OR process_command_line="*net* file*$")\
| eval mitre_category="Lateral_Movement" \
| eval mitre_technique="Windows Admin Shares" \
| eval mitre_technique_id="T1077" \
| `network_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn user_name process_path process_id process_parent_id process_command_line process_guid src_ip dst_ip dst_port src_host_name dst_host_name mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1077] Windows Admin Shares - Process]
action.webhook.enable_allowlist = 0
cron_schedule = 10-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="net.exe" OR process_name=powershell.exe) AND (process_command_line="*net* use*$" OR process_command_line="*net* session*$" OR process_command_line="*net* file*$" process_command_line=""*New-PSDrive*root*)\
| eval mitre_category="Lateral_Movement"\
| eval mitre_technique="Windows Admin Shares"\
| eval mitre_technique_id="T1077" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1077] Windows Admin Shares - Process - Created]
action.webhook.enable_allowlist = 0
cron_schedule = 12-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="net.exe") AND (process_command_line="*net* share*$")\
| eval hunting_trigger="Share creation"\
| eval mitre_category="Lateral_Movement"\
| eval mitre_technique="Windows Admin Shares"\
| eval mitre_technique_id="T1077" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1081] Credentials in Files]
action.webhook.enable_allowlist = 0
cron_schedule = 11-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_command_line="*findstr* /si pass*" OR process_command_line="*select-string -Pattern pass*" OR process_command_line="*list vdir*/text:password*") \
| eval mitre_category="Credential_Access"\
| eval mitre_technique="Credentials in Files"\
| eval mitre_technique_id="T1081" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1082] System Information Discovery]
action.webhook.enable_allowlist = 0
cron_schedule = 12-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="sysinfo.exe") OR (process_name="reg.exe" AND process_command_line="reg*query HKLM\\SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum")\
| eval mitre_category="Discovery"\
| eval mitre_technique="System Information Discovery"\
| eval mitre_technique_id="T1082" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1084] Windows Management Instrumentation Event Subscription]
action.webhook.enable_allowlist = 0
cron_schedule = 14-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=21 \
| eval mitre_category="Execution"\
| eval mitre_technique="Windows Management Instrumentation Event Subscription"\
| eval mitre_technique_id="T1084" \
| `wmi_whitelist` \
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime host_fqdn user_name wmi_consumer_name wmi_consumer_destination mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1085] Rundll32]
action.webhook.enable_allowlist = 0
cron_schedule = 12-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_parent_path="*\\rundll32.exe" OR process_name="rundll32.exe") \
| eval mitre_category="Defense_Evasion,Execution"\
| eval mitre_technique="Rundll32"\
| eval mitre_technique_id="T1085" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1086] PowerShell]
action.webhook.enable_allowlist = 0
cron_schedule = 6-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="powershell.exe" OR process_name="powershell_ise.exe" OR process_name="psexec.exe") \
| eval mitre_category="Execution"\
| eval mitre_technique="PowerShell"\
| eval mitre_technique_id="T1086" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1086] PowerShell Base64 block used]
action.webhook.enable_allowlist = 0
cron_schedule = 3-59/60 * * * *
enableSched = 1
search = | multisearch \
[ search `index_time` `powershell` (EventID=400 OR EventID=500) \
| eval MessageA=split(Message,"Details:") \
| eval Short_Message=mvindex(MessageA,1) \
| eval MessageA=split(Short_Message,"HostVersion=") \
| eval MessageA=mvindex(MessageA,1) \
| eval MessageB=split(MessageA,"HostId=") \
| eval PS_Version=mvindex(MessageB,0) \
| eval MessageC=mvindex(MessageB,1) \
| eval MessageD=split(MessageC,"HostApplication=") \
| eval Host_ID=mvindex(MessageD,0) \
| eval MessageE=mvindex(MessageD,1) \
| eval MessageF=split(MessageE,"EngineVersion=") \
| eval Host_Application=mvindex(MessageF,0) \
| eval MessageG=mvindex(MessageF,1) \
| eval MessageH=split(MessageG,"RunspaceId=") \
| eval Engine_Version=mvindex(MessageH,0) \
| eval MessageJ=mvindex(MessageH,1) \
| eval MessageP=split(MessageJ,"process_command_line=") \
| eval Command_Line=mvindex(MessageP,1) \
| rex field=Host_Application "(?<Base64_Data>.[a-zA-Z0-9]{25,1000}+={1})" \
| fields _time host_fqdn, host, PS_Version, Engine_Version, Host_Application, base64_data, Command_Line | rename Command_Line as process_command_line, HostName as host_fqdn, Host_Application as process_path\
| where NOT isnull(base64_data)] \
[ search `indextime` `windows-security` (EventID=4688) \
| rex field=Process_Command_Line "(?<base64_data>.[a-zA-Z0-9]{25,1000}+={1})" \
| fields _time host base64_data, Process_Command_Line | rename Process_Command_Line as process_command_line, HostName as host_fqdn\
| where NOT isnull(base64_data)] \
[ search `indextime` `sysmon` (EventID=1) process_name="powershell.exe" \
| rex field=process_command_line "(?<base64_data>.[a-zA-Z0-9//+]{25,1000}+={1})" \
| fields _time host_fqdn base64_data, process_command_line, process_path, user_name \
| where NOT isnull(base64_data)] \
| eval hunting_trigger="Base64 block used"\
| eval mitre_category="Execution"\
| eval mitre_technique="PowerShell"\
| eval mitre_technique_id = "T1086"\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime, host_fqdn, base64_data, PS_Version, Engine_Version, Host_Application, process_command_line, process_path, user_name mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1086] PowerShell Downloads - Process]
action.webhook.enable_allowlist = 0
cron_schedule = 6-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_command_line="*.Download*" OR process_command_line="*Net.WebClient*") \
| eval hunting_trigger="Download or web connection"\
| eval mitre_category="Execution"\
| eval mitre_technique="PowerShell"\
| eval mitre_technique_id="T1086" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1086] PowerShell Downloads - WinProcess]
action.webhook.enable_allowlist = 0
cron_schedule = 5-59/60 * * * *
enableSched = 1
search = `index_time` `windows-security` EventID=4688 (".Download" OR "Net.WebClient") \
| eval hunting_trigger="Download or web connection" \
| eval mitre_category="Execution" \
| eval mitre_technique="PowerShell" \
| eval mitre_technique_id="T1086" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime, host, host_fqdnName, Account_Name, New_Process_Name, Process_Command_Line| rename Process_Command_Line as process_command_line, New_Process_Name as process_path, Account_Name as user_name mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1087] Account Discovery]
action.webhook.enable_allowlist = 0
cron_schedule = 13-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="net.exe" OR process_name="powershell.exe") AND (process_command_line="*net* user*" OR process_command_line="*net* group*" OR process_command_line="*net* localgroup*" OR process_command_line="cmdkey*\/list*" process_command_line="*get-localuser*" OR process_command_line="*get-localgroupmembers*" OR process_command_line="*get-aduser*" OR process_command_line="query*user*")\
| eval mitre_category="Discovery"\
| eval mitre_technique="Account Discovery"\
| eval mitre_technique_id="T1087" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1088] Bypass User Account Control - Process]
action.webhook.enable_allowlist = 0
cron_schedule = 13-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_parent_path="*\\eventvwr.exe" OR process_parent_path="*\\fodhelper.exe") \
| eval mitre_category="Privilege_Escalation,Defense_Evasion"\
| eval mitre_technique="Bypass User Account Control"\
| eval mitre_technique_id="T1088" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1088] Bypass User Account Control - Registry]
action.webhook.enable_allowlist = 0
cron_schedule = 2-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` (EventID=12 OR EventID=13 OR EventID=14) (registry_key_path="*\\mscfile\\shell\\open\\command\\*" OR registry_key_path="*\\ms-settings\\shell\\open\\command\\*") AND (user_sid!="S-1-5-18" OR user_sid!="S-1-5-19" OR user_sid!="S-1-5-20")\
| eval mitre_category="Privilege_Escalation,Defense_Evasion"\
| eval mitre_technique="Bypass User Account Control"\
| eval mitre_technique_id="T1088" \
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1089] Disabling Security Tools - Service stopped]
action.webhook.enable_allowlist = 0
cron_schedule = 10-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name=net.exe OR process_name=sc.exe) cmdline="* stop *"\
| eval hash_sha256= lower(hash_sha256)\
| eval hunting_trigger="Service stopped"\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="Disabling Security Tools"\
| eval mitre_technique_id = "T1089"\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1089] Disabling Security Tools - Sysmon service state change]
action.webhook.enable_allowlist = 0
cron_schedule = 1-59/60 * * * *
enableSched = 1
search = | multisearch [search `index_time` `sysmon` EventID=4 State!=Started | fields _time host_fqdn service_state] [search `indextime` `windows-security` EventID=7036 Message="*Sysmon*" \
| eval hunting_trigger="Sysmon state change"\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="Disabling Security Tools"\
| eval mitre_technique_id = "T1089"\
| rename HostName as host_fqdn Message as service_state | fields host_fqdn service_state] | eval indextime = _indextime | convert ctime(indextime) | table _time indextime host_fqdn service_state mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1089] Disabling Security Tools - Sysmon service was terminated]
action.webhook.enable_allowlist = 0
cron_schedule = 3-59/60 * * * *
enableSched = 1
search = `index_time` `windows-security` EventCode=7034 Message="*Sysmon*"\
| eval hunting_trigger="Sysmon service was terminated"\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="Disabling Security Tools"\
| eval mitre_technique_id="T1089" \
| rename ComputerName as Computer Message as State \
| eval indextime = _indextime | convert ctime(indextime) | table Computer State mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1093] Process Hollowing]
action.webhook.enable_allowlist = 0
cron_schedule = 12-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="smss.exe" AND process_parent_name!="smss.exe") OR (process_name="csrss.exe" AND (process_parent_name!="smss.exe" AND process_parent_name!="svchost.exe")) OR (process_name="wininit.exe" AND process_parent_name!="smss.exe") OR (process_name="winlogon.exe" AND process_parent_name!="smss.exe") OR (process_name == "lsass.exe" and parent_process_name != "wininit.exe") OR (process_name="LogonUI.exe" AND (process_parent_name!="winlogon.exe" AND process_parent_name!="wininit.exe")) OR (process_name="services.exe" AND process_parent_name!= "wininit.exe") OR (process_name="spoolsv.exe" AND process_parent_name!= "services.exe") OR (process_name="taskhost.exe" AND (process_parent_name!="services.exe" AND process_parent_name!="svchost.exe")) OR (process_name="taskhostw.exe" AND (process_parent_name!="services.exe" AND process_parent_name!="svchost.exe")) OR (process_name="userinit.exe" AND (process_parent_name!="dwm.exe" AND process_parent_name!="winlogon.exe")) \
| eval hunting_trigger="parent child mismatch"\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="Process Hollowing"\
| eval mitre_technique_id="T1093" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1093] Process Hollowing - commandline]
action.webhook.enable_allowlist = 0
cron_schedule = 7-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_command_line="" OR process_command_line=$$process_path$$)\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="Process Hollowing"\
| eval hunting_trigger="possible hollowed process"\
| eval mitre_technique_id="T1093" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1093] Process Hollowing - office commandline]
action.webhook.enable_allowlist = 0
cron_schedule = 2-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_parent_name="winword.exe" OR process_parent_name="excel.exe" OR process_parent_name="outlook.exe") process_command_line="C:\\Program Files\\Microsoft Office\\*-enc*"\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="Process Hollowing"\
| eval hunting_trigger="possible hollowed process"\
| eval mitre_technique_id="T1093" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1096] NTFS File Attributes]
action.webhook.enable_allowlist = 0
cron_schedule = 13-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) process_name="fsutil.exe" proces_command_line="*usn*deletejournal*" \
| eval hunting_trigger="MFT/USN modification"\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="NTFS_File_Attributes"\
| eval mitre_technique_id="T1096" \
| eval hash_sha256= lower(hash_sha256) \
| `process_create_whitelist` \
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1097] Pass the ticket]
action.webhook.enable_allowlist = 0
cron_schedule = 9-59/60 * * * *
enableSched = 1
search = `index_time` `windows-security` (EventCode=4771 OR EventCode=4768 OR EventCode=4769) Failure_Code=0x1F\
| eval mitre_category="Lateral_Movement"\
| eval mitre_technique="Pass_the_Ticket"\
| eval mitre_technique_id = "T1097"\
| collect `jarvis_index`
[[T1101] Security Support Provider]
action.webhook.enable_allowlist = 0
cron_schedule = 7-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` (EventID=12 OR EventID=13 OR EventID=14) (registry_key_path="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\process_path File Execution Options\\LSASS.exe") \
| eval mitre_category="Persistence" \
| eval mitre_technique="Security Support Provider" \
| eval mitre_technique_id="T1101" \
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1103] AppInit DLLs]
action.webhook.enable_allowlist = 0
cron_schedule = 14-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` (EventID=12 OR EventID=13 OR EventID=14) (registry_key_path="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Appinit_Dlls\\*" OR registry_key_path="*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Appinit_Dlls\\*") \
| eval mitre_category="Persistence,Privilege_Escalation"\
| eval mitre_technique="AppInit DLLs"\
| eval mitre_technique_id="T1103" \
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1107] File Deletion]
action.webhook.enable_allowlist = 0
cron_schedule = 14-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_command_line="*remove-item*" OR process_command_line="vssadmin*Delete Shadows /All /Q*" OR process_command_line="*wmic*shadowcopy delete*" OR process_command_line="*wbdadmin* delete catalog -q*" OR process_command_line="*bcdedit*bootstatuspolicy ignoreallfailures*" OR process_command_line="*bcdedit*recoveryenabled no*")\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="File Deletion"\
| eval mitre_technique_id="T1107" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1112] Modify Registry]
action.webhook.enable_allowlist = 0
cron_schedule = 2-15/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="reg.exe" AND process_command_line!="*query*")\
| eval mitre_category="Defense_Evasion" \
| eval mitre_technique="Modify Registry" \
| eval mitre_technique_id="T1112" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1115] Clipboard Data]
action.webhook.enable_allowlist = 0
cron_schedule = 7-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="clip.exe" OR process_command_line="*Get-Clipboard*")\
| eval mitre_category="Collection"\
| eval mitre_technique="Clipboard Data"\
| eval mitre_technique_id="T1115" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1117] Regsvr32 - Network]
action.webhook.enable_allowlist = 0
cron_schedule = 1-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=3 (process_parent_path="*\\regsvr32.exe" OR process_path="*\\regsvr32.exe") \
| eval mitre_category="Defense_Evasion,Execution"\
| eval mitre_technique="Regsvr32"\
| eval mitre_technique_id="T1117" \
| `network_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn user_name process_path process_id process_parent_id process_command_line process_guid src_ip dst_ip dst_port src_host_name dst_host_name mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1118] InstallUtil]
action.webhook.enable_allowlist = 0
cron_schedule = 2-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="InstallUtil.exe" OR process_command_line="*\/logfile= \/LogToConsole=false \/U*")\
| eval mitre_category="Defense_Evasion,Execution"\
| eval mitre_technique="InstallUtil"\
| eval mitre_technique_id="T1118" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1121] Regsvcs/Regasm]
action.webhook.enable_allowlist = 0
cron_schedule = 3-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="regsvcs.exe" OR process_name="regasm.exe")\
| eval mitre_category="Defense_Evasion,Execution"\
| eval mitre_technique="Regsvcs/Regasm"\
| eval mitre_technique_id="T1121" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1122] Component Object Model Hijacking]
action.webhook.enable_allowlist = 0
cron_schedule = 4-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` (EventID=12 OR EventID=13 OR EventID=14) (registry_key_path="*\\Software\\Classes\\CLSID\\*") \
| eval mitre_category="Persistence,Defense_Evasion"\
| eval mitre_technique="Component Object Model Hijacking"\
| eval mitre_technique_id="T1122" \
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1123] Audio Capture]
action.webhook.enable_allowlist = 0
cron_schedule = 1-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="SoundRecorder.exe" OR process_command_line="*Get-AudioDevice*" OR process_command_line="*WindowsAudioDevice-Powershell-Cmdlet*")\
| eval mitre_category="Collection"\
| eval mitre_technique="Audio Capture"\
| eval mitre_technique_id="T1123" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1124] System Time Discovery]
action.webhook.enable_allowlist = 0
cron_schedule = 2-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_path="*\\net.exe" AND process_command_line="*net* time*") OR process_name="w32tm.exe" OR process_command_line="*Get-Date*"\
| eval mitre_category="Discovery"\
| eval mitre_technique="System Time Discovery"\
| eval mitre_technique_id="T1124" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1126] Network Share Connection Removal]
action.webhook.enable_allowlist = 0
cron_schedule = 3-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="net.exe" AND process_command_line="*net* delete*") OR process_command_line="*Remove-SmbShare*" OR process_command_line="*Remove-FileShare*"\
| eval hunting_trigger="Share removal"\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="Network Share Connection Removal"\
| eval mitre_technique_id="T1126" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1127] Trusted Developer Utilities]
action.webhook.enable_allowlist = 0
cron_schedule = 4-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="MSBuild.exe" OR process_name="msxsl.exe") \
| eval mitre_category="Defense_Evasion,Execution"\
| eval mitre_technique="Trusted Developer Utilities"\
| eval mitre_technique_id="T1127" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1127] Trusted Developer Utilities - net2]
action.webhook.enable_allowlist = 0
cron_schedule = 1-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=11 target_file_name="*\\AppData\\Local\\Microsoft\\CLR_v2.0*\\UsageLogs\\*"\
| eval hunting_trigger=".Net 2.0 compatible execution, probably bad"\
| eval mitre_category="Defense_Evasion,Execution"\
| eval mitre_technique="Trusted Developer Utilities"\
| eval mitre_technique_id="T1127" \
| `file_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path file_path process_guid process_id mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1128] Netsh Helper DLL - Process]
action.webhook.enable_allowlist = 0
cron_schedule = 5-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="netsh.exe" AND process_command_line="*helper*")\
| eval mitre_category="Persistence"\
| eval mitre_technique="Netsh Helper DLL"\
| eval mitre_technique_id="T1128" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1128] Netsh Helper DLL - Registry]
action.webhook.enable_allowlist = 0
cron_schedule = 10-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` (EventID=12 OR EventID=13 OR EventID=14) (registry_key_path="*\\SOFTWARE\Microsoft\Netsh\\*") \
| eval mitre_category="Persistence"\
| eval mitre_technique="Netsh Helper DLL"\
| eval mitre_technique_id="T1128" \
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1130] Install Root Certificate]
action.webhook.enable_allowlist = 0
cron_schedule = 6-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` (EventID=12 OR EventID=13 OR EventID=14) process_name!="svchost.exe" AND (registry_key_path="*\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\*" OR registry_key_path="*\\Microsoft\\SystemCertificates\\Root\\Certificates\\*")\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="Install Root Certificate"\
| eval mitre_technique_id="T1130" \
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1131] Authentication Package]
action.webhook.enable_allowlist = 0
cron_schedule = 6-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` (EventID=12 OR EventID=13 OR EventID=14) (registry_key_path="*\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\*") AND NOT (process_path="C:\\WINDOWS\\system32\\lsass.exe" OR process_path="C:\\Windows\\system32\\svchost.exe" OR process_path="C:\\Windows\\system32\\services.exe")\
| eval mitre_category="Persistence"\
| eval mitre_technique="Authentication Package"\
| eval mitre_technique_id="T1131" \
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1135] Network Share Discovery - Network]
action.webhook.enable_allowlist = 0
cron_schedule = 4-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=3 process_name="net.exe" AND (process_command_line="*net* view*" OR process_command_line="*net* share*")\
| eval mitre_category="Discovery" \
| eval mitre_technique="Network Share Discovery" \
| eval mitre_technique_id="T1135" \
| `network_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn user_name process_path process_id process_parent_id process_command_line process_guid src_ip dst_ip dst_port src_host_name dst_host_name mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1135] Network Share Discovery - Process]
action.webhook.enable_allowlist = 0
cron_schedule = 7-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="net.exe" AND (process_command_line="*net* view*" OR process_command_line="*net* share*")) OR process_command_line="*get-smbshare -Name*"\
| eval mitre_category="Discovery"\
| eval mitre_technique="Network Share Discovery"\
| eval mitre_technique_id="T1135" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1136] Create Account]
action.webhook.enable_allowlist = 0
cron_schedule = 8-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_command_line="*New-LocalUser*" OR process_command_line="*net*user*add*")\
| eval mitre_category="Persistence"\
| eval mitre_technique="Create Account"\
| eval mitre_technique_id="T1136" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1138] Application Shimming - FileAccess]
action.webhook.enable_allowlist = 0
cron_schedule = 6-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=11 (file_path="C:\\Windows\\AppPatch\\Custom\\*") \
| eval mitre_category="Persistence,Privilege_Escalation"\
| eval mitre_technique="Application Shimming"\
| eval mitre_technique_id="T1138" \
| `file_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path file_path process_guid process_id mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1138] Application Shimming - Process]
action.webhook.enable_allowlist = 0
cron_schedule = 5-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) process_name="sdbinst.exe" \
| eval mitre_category="Persistence,Privilege_Escalation"\
| eval mitre_technique="Application Shimming"\
| eval mitre_technique_id="T1138" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1138] Application Shimming - Registry]
action.webhook.enable_allowlist = 0
cron_schedule = 7-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` (EventID=12 OR EventID=13 OR EventID=14) (registry_key_path="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\\*") \
| eval mitre_category="Persistence,Privilege_Escalation"\
| eval mitre_technique="Application Shimming"\
| eval mitre_technique_id="T1138" \
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1140] Deobfuscate/Decode Files or Information]
action.webhook.enable_allowlist = 0
cron_schedule = 10-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="certutil.exe" AND process_command_line="*decode*")\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="Deobfuscate/Decode Files or Information"\
| eval mitre_technique_id="T1140" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1146] Clear Command History]
action.webhook.enable_allowlist = 0
cron_schedule = 12-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_command_line="*rm (Get-PSReadlineOption).HistorySavePath*" OR process_command_line="*del (Get-PSReadlineOption).HistorySavePath*" OR process_command_line="*Set-PSReadlineOption HistorySaveStyle SaveNothing*" OR process_command_line="*Remove-Item (Get-PSReadlineOption).HistorySavePath*") \
| eval mitre_category="Collection"\
| eval mitre_technique="Console History"\
| eval mitre_technique_id="T1146" \
| eval hash_sha256= lower(hash_sha256) \
| `process_create_whitelist` \
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1158] Hidden Files and Directories]
action.webhook.enable_allowlist = 0
cron_schedule = 13-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) process_name="attrib.exe" AND ( process_command_line="*+h*" OR process_command_line="*+s*")\
| eval mitre_category="Persistence,Defense_Evasion"\
| eval mitre_technique="Hidden_Files_and_Directories"\
| eval mitre_technique_id="T1158" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1158] Hidden Files and Directories - VSS]
action.webhook.enable_allowlist = 0
cron_schedule = 10-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_path="*\\VolumeShadowCopy*\\*" OR process_commandline="*\\VolumeShadowCopy*\\*")\
| eval mitre_category="Defense_Evasion,Persistence"\
| eval mitre_technique="Hidden Files and Directories"\
| eval hunting_trigger="VolumeShadowCopy execution"\
| eval mitre_technique_id="T1158" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1170] MSHTA - FileAccess]
action.webhook.enable_allowlist = 0
cron_schedule = 2-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` (EventID=11 or EventID=15) (file_path="*.hta") \
| eval mitre_category="Defense_Evasion,Execution"\
| eval mitre_technique="MSHTA"\
| eval mitre_technique_id="T1170" \
| `file_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path file_path process_guid process_id mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1170] MSHTA - Network]
action.webhook.enable_allowlist = 0
cron_schedule = 1-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=3 (process_parent_path="*\\mshta.exe" OR process_path="*\\mshta.exe") \
| eval mitre_category="Defense_Evasion,Execution"\
| eval mitre_technique="MSHTA"\
| eval mitre_technique_id="T1047" \
| `network_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn user_name process_path process_id process_parent_id process_command_line process_guid src_ip dst_ip dst_port src_host_name dst_host_name mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1170] MSHTA - Process]
action.webhook.enable_allowlist = 0
cron_schedule = 7-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_parent_path="*\\mshta.exe" OR process_name="mshta.exe") \
| eval mitre_category="Defense_Evasion,Execution"\
| eval mitre_technique="MSHTA"\
| eval mitre_technique_id="T1047" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1179] Hooking]
action.webhook.enable_allowlist = 0
cron_schedule = 13-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) process_name="mavinject.exe" OR process_command_line="*/INJECTRUNNING*" \
| eval mitre_category="Persistence,Privilege_Escalation,Credential_Access"\
| eval mitre_technique="Hooking"\
| eval mitre_technique_id="T1179" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1180] Screensaver]
action.webhook.enable_allowlist = 0
cron_schedule = 1-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` (EventID=12 OR EventID=13 OR EventID=14) (registry_key_path="*\\Control Panel\\Desktop\\SCRNSAVE.EXE") AND (process_parent_name!="explorer.exe" OR process_name!="rundll32.exe" OR process_command_line!="*shell32.dll,Control_RunDLL desk.cpl,ScreenSaver,*")\
| eval mitre_category="Persistence"\
| eval mitre_technique="Screensaver"\
| eval mitre_technique_id="T1180" \
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1182] AppCert DLLs]
action.webhook.enable_allowlist = 0
cron_schedule = 8-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` (EventID=12 OR EventID=13 OR EventID=14) (registry_key_path="*\\System\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls\\*")\
| eval mitre_category="Persistence,Privilege_Escalation"\
| eval mitre_technique="AppCert DLLs"\
| eval mitre_technique_id="T1182" \
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1183] Image File Execution Options Injection]
action.webhook.enable_allowlist = 0
cron_schedule = 14-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` (EventID=12 OR EventID=13 OR EventID=14) (registry_key_path="*\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*" OR registry_key_path="*\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*")\
| eval mitre_category="Persistence,Privilege_Escalation"\
| eval mitre_technique="Image File Execution Options Injection"\
| eval mitre_technique_id="T1183" \
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1187] Forced Authentication]
action.webhook.enable_allowlist = 0
cron_schedule = 6-59/60 * * * *
enableSched = 1
search = `index_time` search `sysmon` EventID=11 (file_path="*.lnk" OR file_path="*.scf")\
| eval mitre_category="Credential_Access"\
| eval mitre_technique="Forced Authentication"\
| eval mitre_technique_id="T1187" \
| `file_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path file_path process_guid process_id mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1191] CMSTP]
action.webhook.enable_allowlist = 0
cron_schedule = 9-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="CMSTP.exe")\
| eval mitre_category="Defense_Evasion,Execution"\
| eval mitre_technique="CMSTP"\| eval mitre_technique_id="T1191" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1193] Spearphishing Attachment]
action.webhook.enable_allowlist = 0
cron_schedule = 12-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=11 (file_name="*.docm" OR file_name="*.xlsm" OR file_name="*.pptm" OR file_name="*.ps1" OR file_name="*.py" OR file_name="*.js" OR file_name="*.vbs" OR file_name="*.hta" OR file_name="*.bat" OR file_name="*.slk" OR file_name="*.jspx" OR file_name="*.cmd" OR file_name="*.php" OR file_name="*.pyw" OR file_name="*.xla" OR file_name="*.application" OR file_name="*.potm" OR file_name="*.csproj" OR file_name="*.aspx" OR file_name="*.exe") \
| eval mitre_category="Initial_Access"\
| eval mitre_technique="Spearphishing Attachment"\
| eval hunting_trigger="Potentially malicious file saved"\
| eval mitre_technique_id="T1193" \
| `file_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path process_guid process_id file_name file_path mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1193] Spearphishing Attachment - Opened]
action.webhook.enable_allowlist = 0
cron_schedule = 14-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=13 registry_key_path="*trustrecords*" OR registry_key_path="*TargetObject=*Software\\Microsoft\\VBA\\7.1\\Common*" \
| eval mitre_category="Initial_Access"\
| eval mitre_technique="Spearphishing Attachment"\
| eval hunting_trigger="Macro enabled for document"\
| eval mitre_technique_id="T1193" \
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1196] Control Panel Items - Process]
action.webhook.enable_allowlist = 0
cron_schedule = 10-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_command_line="*control* \/name*" OR process_command_line="rundll32* shell32.dll,Control_RunDLL") \
| eval mitre_category="Defense_Evasion,Execution"\
| eval mitre_technique="Control Panel Items"\
| eval mitre_technique_id="T1196" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1196] Control Panel Items - Registry]
action.webhook.enable_allowlist = 0
cron_schedule = 11-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` (EventID=12 OR EventID=13 OR EventID=14) (registry_key_path="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace*" OR registry_key_path="*\\Software\\Microsoft\\Windows\\CurrentVersion\\Controls Folder\\*\\Shellex\\PropertySheetHandlers\\*" OR registry_key_path="*\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\*") \
| eval mitre_category="Defense_Evasion,Execution"\
| eval mitre_technique="Control Panel Items"\
| eval mitre_technique_id="T1196" \
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1197] BITS Jobs - Network]
action.webhook.enable_allowlist = 0
cron_schedule = 14-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=3 (process_name="bitsadmin.exe")\
| eval mitre_category="Persistence,Defense_Evasion"\
| eval mitre_technique="BITS Jobs"\
| eval mitre_technique_id="T1197" \
| `network_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn user_name process_path process_id process_parent_id process_command_line process_guid src_ip dst_ip dst_port src_host_name dst_host_name mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1197] BITS Jobs - Process]
action.webhook.enable_allowlist = 0
cron_schedule = 7-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="bitsadmin.exe" OR process_command_line="*Start-BitsTransfer*") \
| eval mitre_category="Persistence,Defense_Evasion"\
| eval mitre_technique="BITS Jobs"\
| eval mitre_technique_id="T1197" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1201] Password Policy Discovery]
action.webhook.enable_allowlist = 0
cron_schedule = 1-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_command_line="*net* accounts*" OR process_command_line="*net* accounts \/domain*")\
| eval mitre_category="Discovery"\
| eval mitre_technique="Password Policy Discovery"\
| eval mitre_technique_id="T1201" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1202] Indirect Command Execution]
action.webhook.enable_allowlist = 0
cron_schedule = 1-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_parent_name="pcalua.exe" OR process_name="pcalua.exe" OR process_name="bash.exe" OR process_name="forfiles.exe")\
| eval mitre_category="Discovery"\
| eval mitre_technique="Indirect Command Execution"\
| eval mitre_technique_id="T1202" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1208] Kerberoasting]
action.webhook.enable_allowlist = 0
cron_schedule = 8-59/60 * * * *
enableSched = 1
search = `index_time` `windows-security` EventCode=4769 Ticket_Encryption_Type=0x17 Service_ID!=NONE_MAPPED Account_Name!="sa_*"\
| transaction Account_Name maxpause=60s maxevents=500\
| where eventcount>10\
|where Service_ID>1\
| eval mitre_category="Credential_Access"\
| eval mitre_technique="Kerberoasting"\
| eval mitre_technique_id = "T1208"\
| eval indextime = _indextime | convert ctime(indextime) | table Account_Name Service_ID eventcount mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1209] Time Providers]
action.webhook.enable_allowlist = 0
cron_schedule = 2-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` (EventID=12 OR EventID=13 OR EventID=14) (registry_key_path="*\\System\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\*")\
| eval mitre_category="Discovery"\
| eval mitre_technique="Indirect Command Execution"\
| eval mitre_technique_id="T1209" \
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1214] Credentials in Registry]
action.webhook.enable_allowlist = 0
cron_schedule = 7-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_command_line="*reg* query HKLM \/f password \/t REG_SZ \/s*" OR process_command_line="reg* query HKCU \/f password \/t REG_SZ \/s" OR process_command_line="*Get-UnattendedInstallFile*" OR process_command_line="*Get-Webconfig*" OR process_command_line="*Get-ApplicationHost*" OR process_command_line="*Get-SiteListPassword*" OR process_command_line="*Get-CachedGPPPassword*" OR process_command_line="*Get-RegistryAutoLogon*") \
| eval mitre_category="Credential_Access"\
| eval mitre_technique="Credentials in Registry"\
| eval mitre_technique_id="T1214" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1216] Signed Script Proxy Execution]
action.webhook.enable_allowlist = 0
cron_schedule = 12-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_command_line="*cscript*script\:http\[\:\]\/\/*" OR process_command_line="*wscript*script\:http\[\:\]\/\/*" OR process_command_line="*certutil*script\:http\[\:\]\/\/*" OR process_command_line="*jjs*-scripting*")\
| eval mitre_category="Defense_Evasion,Execution"\
| eval mitre_technique="Signed Script Proxy Execution"\
| eval mitre_technique_id="T1216" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1217] Browser Bookmark Discovery]
action.webhook.enable_allowlist = 0
cron_schedule = 2-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_command_line="*firefox*places.sqlite*") \
| eval mitre_category="Discovery"\
| eval mitre_technique="Browser Bookmark Discovery"\
| eval mitre_technique_id="T1217" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_gui mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`d
[[T1218] Signed Binary Proxy Execution - Network]
action.webhook.enable_allowlist = 0
cron_schedule = 13-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=3 (process_name=certutil.exe OR process_command_line="*certutil*script\:http\[\:\]\/\/*" OR process_path="*\\replace.exe")\
| eval mitre_category="Defense_Evasion,Execution"\
| eval mitre_technique="Signed Binary Proxy Execution"\
| eval mitre_technique_id="T1218" \
| `network_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn user_name process_path process_id process_parent_id process_command_line process_guid src_ip dst_ip dst_port src_host_name dst_host_name mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1218] Signed Binary Proxy Execution - Process]
action.webhook.enable_allowlist = 0
cron_schedule = 12-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_command_line="*mavinject*\/injectrunning*" OR process_command_line="mavinject32*\/injectrunning*" OR process_command_line="*certutil*script\:http\[\:\]\/\/*" OR process_command_line="*certutil*script\:https\[\:\]\/\/*" OR process_command_line="*msiexec*http\[\:\]\/\/*" OR process_command_line="*msiexec*https\[\:\]\/\/*")\
| eval mitre_category="Defense_Evasion,Execution"\
| eval mitre_technique="Signed Binary Proxy Execution"\
| eval mitre_technique_id="T1218" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1223] Compiled HTML File]
action.webhook.enable_allowlist = 0
cron_schedule = 3-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) process_name="hh.exe"\
| eval mitre_category="Defense_Evasion,Execution"\
| eval mitre_technique="Compiled HTML File"\
| eval mitre_technique_id="T1223" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[ip iocs]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 8 * * *
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
enableSched = 1
search = index=zeek_* [|inputlookup ip.csv | return 10000 %ip ] AND NOT reddit | stats count
[hash ioc]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 7 * * *
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
enableSched = 1
search = index=windows hash source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" [| inputlookup hashes.csv | reverse | return 300000 $hash]
[hash ioc test]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 7 * * *
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
enableSched = 1
search = index=windows hash source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" [| inputlookup hashes.csv | return 300000 $hash] \
| stats count
[test_suricata]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 15 * * * *
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
enableSched = 1
search = index=suricata | table _time dest_ip dest_port src_ip src_port proto timestamp alert.severity alert.category alert.signature alert.rule | `suricata_whitelist` |collect `test_suricata`
[Get-ADUser Enumeration Using UserAccountControl Flags]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 1 * * *
description = Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.page.search.mode = verbose
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
search = ScriptBlockText="*Get-ADUser*" ScriptBlockText="*-Filter*" ScriptBlockText="*useraccountcontrol*" ScriptBlockText="*-band*" ScriptBlockText="*4194304*" | collect index=sigma
[Powershell Detect Virtualization Environment]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 3 * * *
description = description: |\
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.\
This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox\
references:\
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md\
- https://techgenix.com/malicious-powershell-scripts-evade-detection/
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.page.search.mode = verbose
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
search = ScriptBlockText IN ("*Get-WmiObject*", "*gwmi*") ScriptBlockText IN ("*MSAcpi_ThermalZoneTemperature*", "*Win32_ComputerSystem*") | collect index=sigma
[Dump Credentials from Windows Credential Manager With PowerShell]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 4 * * *
description = description: |\
Adversaries may search for common password storage locations to obtain user credentials.\
Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.\
references:\
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.page.search.mode = verbose
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
search = ScriptBlockText IN ("*Get-PasswordVaultCredentials*", "*Get-CredManCreds*") OR (ScriptBlockText="*New-Object*" ScriptBlockText="*Windows.Security.Credentials.PasswordVault*") OR (ScriptBlockText="*New-Object*" ScriptBlockText="*Microsoft.CSharp.CSharpCodeProvider*" ScriptBlockText="*[System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())*" ScriptBlockText="*Collections.ArrayList*" ScriptBlockText="*System.CodeDom.Compiler.CompilerParameters*") | collect index=sigma
[Windows Screen Capture with CopyFromScreen]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 5 * * *
description = Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.\
Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations\
references:\
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.page.search.mode = verbose
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
search = ScriptBlockText="*.CopyFromScreen*" | collect index=sigma
[Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 6 * * *
description = description: |\
Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.\
references:\
- https://github.com/amlweems/xzbot?tab=readme-ov-file#backdoor-demo
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.page.search.mode = verbose
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
search = (ParentImage="*/sshd" CommandLine IN ("bash -c*", "sh -c*") User="root") OR (ParentImage="*/sshd" Image="*/sshd" User="sshd") | collect index=sigma
[Access to Browser Login Data]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 0 * * *
description = Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\
Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\
Web browsers typically store the credentials in an encrypted format within a credential store.
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.page.search.mode = verbose
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
search = ScriptBlockText="*Copy-Item*" ScriptBlockText="*-Destination*" ScriptBlockText IN ("*\\Opera Software\\Opera Stable\\Login Data*", "*\\Mozilla\\Firefox\\Profiles*", "*\\Microsoft\\Edge\\User Data\\Default*", "*\\Google\\Chrome\\User Data\\Default\\Login Data*", "*\\Google\\Chrome\\User Data\\Default\\Login Data For Account*")
[CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 0 * * *
description = description: |\
Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.\
It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.\
references:\
- https://github.com/RhinoSecurityLabs/CVEs/blob/15cf4d86c83daa57b59eaa2542a0ed47ad3dc32d/CVE-2024-1212/CVE-2024-1212.py\
- https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.page.search.mode = verbose
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
search = "cs-method"="GET" "cs-uri-stem"="*/access/set*" "cs-uri-stem"="*param=enableapi*" "cs-uri-stem"="*value=1*" "Basic Jz" OR "Basic c7" OR "Basic nO" OR "Basic ';" | collect index=sigma
[Create Volume Shadow Copy with Powershell]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 2 * * *
description = Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.page.search.mode = verbose
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
search = ScriptBlockText="*win32_shadowcopy*" ScriptBlockText="*).Create(*" ScriptBlockText="*ClientAccessible*" | collect index=sigma
[Exploitation Indicators Of CVE-2023-20198]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 0 * * *
description = description: Detecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI.\
references:\
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z\
- https://www.thestack.technology/security-experts-call-for-incident-response-exercises-after-mass-cisco-device-exploitation/
enableSched = 1
search = "%WEBUI-6-INSTALL_OPERATION_INFO:" OR "%SYS-5-CONFIG_P:" OR "%SEC_LOGIN-5-WEBLOGIN_SUCCESS:" "cisco_tac_admin" OR "cisco_support" OR "cisco_sys_manager"
[[T1073] DLL Side-Loading - PowerShell]
action.webhook.enable_allowlist = 0
cron_schedule = 3-59/60 * * * *
enableSched = 1
search = `index_time` `sysmon` EventID=7 (driver_loaded="*\\System.Management.Automation.ni.dll" OR driver_loaded="*\\System.Management.Automation.dll" OR driver_loaded="*\\PowerShdll.dll") (process_name!="powershell.exe" AND process_name!="powershell_ise.exe")\
| eval hunting_trigger="Possibly non-legit PowerShell"\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="DLL Side-Loading"\
| eval mitre_technique_id="T1073" \
| `image_load_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path driver_loaded driver_is_signed driver_signature driver_signature_status process_id process_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1059] Command-Line Interface]
action.webhook.enable_allowlist = 0
cron_schedule = 9-59/60 * * * *
enableSched = 1
search = `index_time` (`sysmon` EventID=3) (process_name="cmd.exe") \
| eval mitre_category="Execution"\
| eval mitre_technique="Command-Line Interface - Network"\
| eval mitre_technique_id="T1059" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1117] Bypassing Application Whitelisting with Regsvr32]
action.webhook.enable_allowlist = 0
cron_schedule = 13-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="regsvr32.exe" OR process_name="certutil.exe") OR process_command_line="*scrobj*"\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="Bypassing Application Whitelisting with Regsvr32"\
| eval mitre_technique_id="T1117" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1015] Accessibility Features - Registry]
action.webhook.enable_allowlist = 0
cron_schedule = 2-59/60 * * * *
display.general.type = statistics
display.page.search.tab = statistics
enableSched = 1
search = `index_time` `sysmon` (EventID=12 OR EventID=13 OR EventID=14) (registry_key_path="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*") (event_type!=Delete*)\
| eval mitre_category="Persistence,Privilege_Escalation"\
| eval mitre_technique="Accessibility Features"\
| eval mitre_technique_id="T1015" \
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
[[T1057] Process Discovery]
action.webhook.enable_allowlist = 0
cron_schedule = 3-59/60 * * * *
enableSched = 1
search = `index_time` ((`sysmon` EventID=1) OR (`windows-security` EventID=4688)) (process_name="tasklist.exe" OR process_command_line="*Get-Process*") (user_name!="*SYSTEM")\
| eval mitre_category="Execution"\
| eval mitre_technique="Process Discovery"\
| eval mitre_technique_id="T1057" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
Reference in New Issue View Git Blame Copy Permalink