junk/spl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1c9c0ba3aafbd779cd1044b67611282c525f4100
spl/splunk-magic-hound.md
junk 6d46dcec02 Update splunk-magic-hound.md
2025-01-08 20:35:04 -05:00

273 lines
14 KiB
Markdown
Raw Blame History

```check against powershell /c "Get-PhysicalDisk | Select-Object DeviceID, MediaType, Size, FriendlyName"```
```
`indextime` (`sysmon` OR `windows`) AND "powershell /c "Get-PhysicalDisk"
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.",
mitre_category="Discovery",
mitre_technique="File and Directory Discovery",
mitre_technique_id="T1083",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="Magic Hound",
mitre_link="https://attack.mitre.org/techniques/T1083/",
creator="Cpl Iverson",
upload_date="2025-01-08",
last_modify_date="2025-01-08",
mitre_version="v16",
priority=""
| `process_create_whitelist`
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
```
```
`indextime` (`sysmon` OR `windows`) AND ('powershell.exe /c "Set-MpPreference -DisableRealtimeMonitoring $true"' OR 'powershell.exe /c "Set-Service -Name windefend -StartupType Disabled"' OR 'powershell.exe /c "Stop-Service -Name windefend"')
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.",
mitre_category="Defense_Evasion",
mitre_technique="Impair Defenses",
mitre_technique_id="T1562",
mitre_subtechnique="Disable or Modify Tools",
mitre_subtechnique_id="T1562.001",
apt="Magic Hound",
mitre_link="https://attack.mitre.org/techniques/T1562/001/",
creator="Cpl Iverson",
upload_date="2025-01-08",
last_modify_date="2025-01-08",
mitre_version="v16",
priority=""
| `process_create_whitelist`
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
```
```
`indextime` (`sysmon` OR `windows`) AND ('powershell /c "Get-ADUser -Filter * -Properties EmailAddress | Select-Object Name, EmailAddress"' OR 'powershell /c "Get-ADUser')
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).",
mitre_category="Discovery",
mitre_technique="Account Discovery",
mitre_technique_id="T1087",
mitre_subtechnique="Email Account",
mitre_subtechnique_id="T1087.003",
apt="Magic Hound",
mitre_link="https://attack.mitre.org/techniques/T1087/003",
creator="Cpl Iverson",
upload_date="2025-01-08",
last_modify_date="2025-01-08",
mitre_version="v16",
priority=""
| `process_create_whitelist`
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
```
```
`indextime` (`sysmon` OR `windows`) AND *.docm
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. ",
mitre_category="Persistence",
mitre_technique="Office Application Startup",
mitre_technique_id="T1137",
mitre_subtechnique="Office Template Macros",
mitre_subtechnique_id="T1137.001",
apt="Magic Hound",
mitre_link="https://attack.mitre.org/techniques/T1137/001/",
creator="Cpl Iverson",
upload_date="2025-01-08",
last_modify_date="2025-01-08",
mitre_version="v16",
priority=""
| `process_create_whitelist`
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
```
```
`indextime` (`sysmon` OR `windows`) AND 'powershell.exe /c "net user DefaultAccount /active:yes"'
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.",
mitre_category=mvappend("Defense_Evasion","Persistence","Privilege_Escalation","Initial_Access"),
mitre_technique="Valid Accounts",
mitre_technique_id="T1078",
mitre_subtechnique="Default Accounts",
mitre_subtechnique_id="T1078.001",
apt="Magic Hound",
mitre_link="https://attack.mitre.org/techniques/T1078/001/",
creator="Cpl Iverson",
upload_date="2025-01-08",
last_modify_date="2025-01-08",
mitre_version="v16",
priority=""
| `process_create_whitelist`
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
```
```
`indextime` (`sysmon` OR `windows`) AND (reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f)
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.",
mitre_category="Defense_Evasion",
mitre_technique="",
mitre_technique_id="T1562",
mitre_subtechnique="",
mitre_subtechnique_id="T####.###",
apt="Magic Hound",
mitre_link="https://attack.mitre.org/techniques/T1562/",
creator="Cpl Iverson",
upload_date="2025-01-08",
last_modify_date="2025-01-08",
mitre_version="v16",
priority=""
| `process_create_whitelist`
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
```
```
`indextime` (`sysmon` OR `windows`) AND "powershell.exe /c 'auditpol /clear /y'"
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits.",
mitre_category="Defense_Evasion",
mitre_technique="Impair Defenses",
mitre_technique_id="T1562",
mitre_subtechnique="Disable Windows Event Logging",
mitre_subtechnique_id="T1562.002",
apt="Magic Hound",
mitre_link="https://attack.mitre.org/techniques/T1562/002/",
creator="Cpl Iverson",
upload_date="2025-01-08",
last_modify_date="2025-01-08",
mitre_version="v16",
priority=""
| `process_create_whitelist`
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
```
```
`indextime` ((`sysmon` EventCode="1") OR (`windows-security` EventCode="4688")) (Image="C:\Windows\System32\sc.exe" (CommandLine="sc config" OR CommandLine="sc stop" OR CommandLine="sc query" )) OR (ServiceName="Windows Defender" OR ServiceName="Windows Firewall" AND ServiceName="stopped*")
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.",
mitre_category="Defense_Evasion",
mitre_technique="Impair Defenses",
mitre_technique_id="T1562",
mitre_subtechnique="Disable or Modify Tools",
mitre_subtechnique_id="T1562.001",
apt="Magic Hound",
mitre_link="https://attack.mitre.org/techniques/T1562/001",
creator="Cpl Iverson",
upload_date="2025-01-08",
last_modify_date="2025-01-08",
mitre_version="v16",
priority=""
| `process_create_whitelist`
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
```
```
`indextime` (`sysmon` OR `windows`) AND ("quser.exe" OR "netstat -ano")
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.",
mitre_category="Discovery",
mitre_technique="System Network Connections Discovery",
mitre_technique_id="T1049",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt=mvappend("Volt Typhoon","Magic Hound"),
mitre_link="https://attack.mitre.org/techniques/T1049/",
creator="Cpl Iverson",
upload_date="2025-01-08",
last_modify_date="2025-01-08",
mitre_version="v16",
priority=""
| `process_create_whitelist`
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
```
```
`indextime` (`sysmon` OR `windows`) AND ("powershell /c 'Compress-Archive" AND "zip")
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.",
mitre_category="Discovery",
mitre_technique="System Network Connections Discovery",
mitre_technique_id="T1049",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="Magic Hound",
mitre_link="https://attack.mitre.org/techniques/T1049/",
creator="Cpl Iverson",
upload_date="2025-01-08",
last_modify_date="2025-01-08",
mitre_version="v16",
priority=""
| `process_create_whitelist`
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
```
```
`indextime` (`sysmon` OR `windows`) AND ("schtasks /create /tn" OR "/ru SYSTEM")
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.",
mitre_category="Impact",
mitre_technique="Data Encrypted for Impact",
mitre_technique_id="T1486",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="Magic Hound",
mitre_link="https://attack.mitre.org/techniques/T1486/",
creator="Cpl Iverson",
upload_date="2025-01-08",
last_modify_date="2025-01-08",
mitre_version="v16",
priority=""
| `process_create_whitelist`
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
```
------------------------------------------
------------ SURICATA RULES --------------
------------------------------------------
"mail-newyorker.com"
"news12.com.recover-session-service.site"
Reference in New Issue View Git Blame Copy Permalink