spl/splunk/savedsearches.conf

[[T1002] Data Compressed]
alert.track = 0
cron_schedule = 13-59/15 * * * *
enableSched = 1
schedule_window = auto
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
disabled = 0
dispatch.earliest_time = 1
search = `indextime` ((`sysmon` event_id=11) OR (`windows-security` event_id=4688)) (process_name="powershell.exe" AND process_command_line="*-Recurse | Compress-Archive*") OR (TargetFilename="7z a*" OR TargetFilename="*.zip" OR TargetFilename="rar a*")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="An adversary may compress and/or encrypt data that is collected prior to exfiltration.",\
mitre_category="Collection",\
mitre_technique="Archive Collected Data",\
mitre_technique_id="T1560",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1560/",\
creator="",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-12",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| `file_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1040] Network Sniffing - Process]
alert.track = 0
cron_schedule = 13-59/15 * * * *
enableSched = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
disabled = 0
dispatch.earliest_time = 1
request.ui_dispatch_app = Arc_reactor_app
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) ((process_name="netsh.exe" AND process_command_line="*trace*start*capture=yes*") OR process_name="tshark.exe" OR process_name="wireshark.exe")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs.",\
mitre_category=mvappend("Privilege_Escalation","Persistence"),\
mitre_technique="Event Triggered Execution",\
mitre_technique_id="T1546",\
mitre_subtechnique="Netsh Helper DLL", \
mitre_subtechnique_id="T1546.007",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1546/007/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[Top T-Codes for the week] Hunt Tool]
cron_schedule = 13-59/15 * * * *
enableSched = 1
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.timeRangePicker.show = 0
display.general.type = visualizations
display.page.search.mode = fast
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = area
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
search = `jarvis_index` earliest=-7d@d latest=@d \
| stats count by _time, mitre_technique \
| timechart sum(count) by mitre_technique useother=false

[[T0000] Connections from Uncommon Locations]
search = `indextime` `sysmon` event_id=3 (process_path="C:\\user_names\\*" OR process_path="C:\\ProgramData\\*" OR process_path="C:\\Windows\\Temp\\*" OR process_path="C:\\Temp\\*") initiated=true \
| eval mitre_category=""\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="",\
mitre_category=mvappend("Lateral_Movement","Execution"),\
mitre_technique="Connections from Uncommon Locations",\
mitre_technique_id="T0000",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1027/",\
creator="Cpl Iverson",\
upload_date="2024/12/03",\
last_modify_date="2024/12/03",\
mitre_version="v16",\
priority=""\
| `network_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description host_fqdn user_name process_path process_id process_guid src_ip dst_ip dst_port src_host_name dst_host_name initiated transport mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
disabled = 0
enableSched = 1
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 2-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search

[[T1003] OS Credential Dumping - Network Traffic Content]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 5-59/15 * * * *
description = Analytic 1 - Anomalous network traffic content related to credential managers\
https://attack.mitre.org/techniques/T1003/
dispatch.earliest_time = 1
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` sourcetype="stream:tcp" dest_port=389 NOT [| inputlookup known_dc_ip_addresses | fields ip]| eval SourceIP = src_ip, DestinationIP = dest_ip, Protocol = proto| search (content="LDAPSearchRequest") OR (content="LDAPModifyRequest") OR (content="bindRequest") OR (content="searchResEntry") OR (content="NTDS.dit")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Network Traffic Content - Unexpected memory dump file creation",\
mitre_category="Credential_Access",\
mitre_technique="OS Credential Dumping",\
mitre_technique_id="T1003",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1003/",\
creator="",\
last_tested="",\
upload_date="2023-01-01",\
last_modify_date="2025-01-12",\
mitre_version="v16",\
priority="" \
| `image_load_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description host_fqdn process_path driver_loaded driver_is_signed driver_signature driver_signature_status process_id process_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1012] LOLBAS Chinese APT Credential Theft Save Registry SAM and System]
search = `indextime` `windows-security` AND ((Image="*\\reg.exe" OR OriginalFileName="reg.exe") AND CommandLine="*save*" AND (CommandLine="*reg save hklm\\sam ss.dat*" OR CommandLine="*reg save hklm\\system sy.dat*" OR CommandLine="*reg save hklm\\system*" OR CommandLine="*reg save hklm\\sam*"))\
``` author: SIMKRA, @SIMKRA202 ```\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Detects the usage of 'reg.exe' in order to save registry sam and system.",\
mitre_category="Discovery",\
mitre_technique="Query Registry",\
mitre_technique_id="T1012",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt="Volt Typhoon",\
mitre_link="https://github.com/Schmouni242/Sigma-Rules/blob/main/LOLBAS%20Chinese%20APT%20Credential%20Theft%20Save%20Registry%20SAM%20and%20System.yml",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2025-01-07",\
last_modify_date="2025-01-07",\
mitre_version="v16",\
priority="high"\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://github.com/Schmouni242/Sigma-Rules/blob/main/LOLBAS%20Chinese%20APT%20Credential%20Theft%20Save%20Registry%20SAM%20and%20System.yml
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto

[[T1012] Query Registry_Analytic_5]
search = `indextime` ((`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") AND Image IN ('FilePathToLolbasProcess01.exe','FilePathToLolbasProcess02.exe') AND number_standard_deviations = 1.5)\
| search Image, ProcessCount, AVG(ProcessCount) Over() - STDEV(ProcessCount) Over() * number_standard_deviations AS LowerBound \
| where ProcessCount < LowerBound\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Rare LolBAS command lines",\
mitre_category="Discovery",\
mitre_technique="Query Registry",\
mitre_technique_id="T1012",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=mvappend("APT32","APT39","APT41","Chimera","Daggerfly","Dragonfly","Fox Kitten","Indrik Spider","Kimsuky","Lazarus Group","OilRig","Stealth Falcon","Threat Group-3390","Turla","Volt Typhoon","ZIRCONIUM"),\
mitre_link="https://attack.mitre.org/techniques/T1012/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2025-03-06",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1012
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto

[[T1018] Remote System Discovery - Process]
action.lookup = 1
action.lookup.append = 1
action.lookup.filename = jarvis_findings.csv
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="net.exe" OR process_name="ping.exe") AND (process_command_line="*net* view*" OR process_command_line="*ping *")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or net view using Net.",\
mitre_category="Discovery",\
mitre_technique="Remote System Discovery",\
mitre_technique_id="T1018",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1018/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2023-01-01",\
last_modify_date="2025-03-06",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 5-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search

[[T1098] Account Manipulation - (sysmon)]
search = `indextime` `sysmon` RuleName="technique_id=T1098,technique_name=Account Manipulation"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="sysmon - Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.",\
mitre_category=mvappend("Persistence","Privilege_Escalation"),\
mitre_technique="Account Manipulation",\
mitre_technique_id="T1098",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt="Lazarus Group"\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.\
https://attack.mitre.org/techniques/T1098/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto

[[T1068] Exploitation for Privilege Escalation_Analytic_2]
search = `indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") (Image="C:\Windows\System32\spoolsv.exe" OR Image="C:\Windows\System32\conhost.exe") AND (ParentImage= "C:\Windows\System32\cmd.exe")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Unusual Child Process for spoolsv.exe or connhost.exe",\
mitre_category="Privilege_Escalation",\
mitre_technique="Exploitation for Privilege Escalation",\
mitre_technique_id="T1068",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=mvappend("APT28","APT29","APT32","APT33","BITTER","Cobalt Group","FIN6","FIN8","LAPSUS$","MoustachedBouncer","PLATINUM","Scattered Spider","Threat Group-3390","Tonto Team","Turla","Volt Typhoon","Whitefly","ZIRCONIUM"),\
mitre_link="https://attack.mitre.org/techniques/T1068/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1068/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto

[[T1036.005] Masquerading_Analytic_1]
search = `indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688")AND ( (Image=svchost.exe AND (image_path!="C:\Windows\System32\svchost.exe" OR process_path!="C:\Windows\SysWow64\svchost.exe"))  OR (Image="*smss.exe" AND image_path!="C:\Windows\System32\smss.exe")  OR (Image="wininit.exe" AND image_path!="C:\Windows\System32\wininit.exe")  OR (Image="taskhost.exe" AND image_path!="C:\Windows\System32\taskhost.exe")  OR (Image="lasass.exe" AND image_path!="C:\Windows\System32\lsass.exe")  OR (Image="winlogon.exe" AND image_path!="C:\Windows\System32\winlogon.exe")  OR (Image="csrss.exe" AND image_path!="C:\Windows\System32\csrss.exe")  OR (Image="services.exe" AND image_path!="C:\Windows\System32\services.exe")  OR (Image="lsm.exe" AND image_path!="C:\Windows\System32\lsm.exe")  OR (Image="explorer.exe" AND image_path!="C:\Windows\explorer.exe"))\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Common Windows Process Masquerading",\
mitre_category="Defense_Evasion",\
mitre_technique="Masquerading",\
mitre_technique_id="T1036",\
mitre_subtechnique="Match Legitimate Name or Location",\
mitre_subtechnique_id="T1036.005",\
apt=mvappend("APT1","APT28","APT29","APT32","APT39","APT41","APT5","Aoqin Dragon","Aquatic Panda","BRONZE BUTLER","BackdoorDiplomacy","Blue Mockingbird","Carbanak","Chimera","Darkhotel","Earth Lusca","Ember Bear","FIN13","FIN7","Ferocious Kitten","Fox Kitten","Gamaredon Group","INC Ransom","Indrik Spider","Ke3chang","Kimsuky","Lazarus Group","LuminousMoth","Machete","Magic Hound","MuddyWater","Mustang Panda","Mustard Tempest","Naikon","PROMETHIUM","Patchwork","Poseidon Group","RedCurl","Rocke","Sandworm Team","SideCopy","Sidewinder","Silence","Sowbug","TA2541","TeamTNT","ToddyCat","Transparent Tribe","Tropic Trooper","Turla","Volt Typhoon","WIRTE","Whitefly","admin@338","menuPass"),\
mitre_link="https://attack.mitre.org/techniques/T1036/005/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1036/005/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto

[[T1003] OS Credential Dumping - Process Access]
search = `indextime` `windows-security` EventCode=10 TargetImage="lsass.exe" SourceImage IN ("mimikatz.exe", "procdump.exe")OR \
(index=security sourcetype="linux_secure" (key="path" value IN ("/etc/passwd", "/etc/shadow")) (key="cmdline" value IN ("mimikatz", "procdump")))\
OR (index=security sourcetype="macOS:UnifiedLog" message IN ("/var/db/shadow/hash/", "/private/etc/master.passwd") process IN ("mimikatz", "procdump"))\
| eval hunting_trigger="Unexpected memory dump file creation",\
mitre_category="Credential_Access",\
mitre_technique="Credential Dumping",\
mitre_technique_id="T1003" \
| `image_load_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path driver_loaded driver_is_signed driver_signature driver_signature_status process_id process_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 5-59/15 * * * *
description = Analytic 1 - Unauthorized access to credential managers.\
https://attack.mitre.org/techniques/T1003/
dispatch.earliest_time = 1
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto

[[T1112] Modify Registry_Analytic_5]
search = `indextime` (`sysmon` EventCode="1") \
OR (`windows-security` EventCode="4688")\
((CommandLine="reg" CommandLine="add" CommandLine="/d") OR (CommandLine="Set-ItemProperty" CommandLine="-value"))\
(CommandLine="00000000" OR CommandLine="0") \
(CommandLine="SafeDllSearchMode")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Registry Edit with Creation of SafeDllSearchMode Key Set to 0",\
mitre_category="Defense_Evasion",\
mitre_technique="Modify Registry",\
mitre_technique_id="T1112",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=mvappend("APT19","APT32","APT38","APT41","Aquatic Panda","Blue Mockingbird","Dragonfly","Earth Lusca","Ember Bear","FIN8","Gamaredon Group","Gorgon Group","Indrik Spider","Kimsuky","LuminousMoth","Magic Hound","Patchwork","Saint Bear","Silence","TA505","Threat Group-3390","Turla","Volt Typhoon","Wizard Spider"),\
mitre_link="https://attack.mitre.org/techniques/T1112/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 2-15/15 * * * *
description = https://attack.mitre.org/techniques/T1112/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto

[[T1059.001] PowerShell Downloads - WinProcess]
search = `indextime` `windows-security` event_id=4688 (".Download" OR "Net.WebClient") \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Download or web connection with ps1",\
mitre_category="Execution",\
mitre_technique="Command and Scripting Interpreter",\
mitre_technique_id="T1059",\
mitre_subtechnique="PowerShell", \
mitre_subtechnique_id="T1059.001",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1059/001/",\
creator="Cpl Iverson",\
upload_date="2024-01-01",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime, host, host_fqdnName, Account_Name, New_Process_Name, Process_Command_Line mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| rename Process_Command_Line as process_command_line, New_Process_Name as process_path, Account_Name as user_name \
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 5-59/15 * * * *
description = Windows Security
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto

[[T1012] LOLBAS Chinese APT Credential Theft Query Registry Software]
search = `indextime` `windows-security` AND ((Image="*\\reg.exe" OR OriginalFileName="reg.exe") AND CommandLine="*query*" AND (CommandLine="*reg query hklm\\software\\OpenSSH*" OR CommandLine="*reg query hklm\\software\\OpenSSH\\Agent*" OR CommandLine="*reg query hklm\\software\\realvnc*" OR CommandLine="*reg query hklm\\software\\realvnc\\vncserver*" OR CommandLine="*reg query hklm\\software\\realvnc\\Allusers*" OR CommandLine="*reg query hklm\\software\\realvnc\\Allusers\\vncserver*" OR CommandLine="*reg query hkcu\\software*\\putty\\session*"))\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Detects the usage of 'reg.exe' in order to query information from the registry like software.",\
mitre_category="Discovery",\
mitre_technique="Query Registry",\
mitre_technique_id="T1012",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt="Volt Typhoon",\
mitre_link="https://github.com/Schmouni242/Sigma-Rules/blob/main/LOLBAS%20Chinese%20APT%20Credential%20Dumping%20to%20ADMIN%20localhost.yml",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2025-01-07",\
last_modify_date="2025-01-07",\
mitre_version="v16",\
priority="high"\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://github.com/Schmouni242/Sigma-Rules/blob/main/LOLBAS%20Chinese%20APT%20Credential%20Theft%20Query%20Registry%20Software.yml
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto

[[T1021.001] Remote Services_Analytic_2]
search = `indextime` `windows-security` EventCode="4624" AND LogonType="10" AND (AuthenticationPackageName="Negotiate" AND TargetUserName="Admin*")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Analytic 1",\
mitre_category="Unknown",\
mitre_technique="Remote Services",\
mitre_technique_id="T1021",\
mitre_subtechnique="Remote Desktop Protocol",\
mitre_subtechnique_id="T1021.001",\
apt=mvappend("APT1","APT3","APT39","APT41","APT5","Agrius","Aquatic Panda","Axiom","Blue Mockingbird","Chimera","Cobalt Group","Dragonfly","FIN10","FIN13","FIN6","FIN7","FIN8","Fox Kitten","HEXANE","INC Ransom","Indrik Spider","Kimsuky","Lazarus Group","Leviathan","Magic Hound","OilRig","Patchwork","Silence","Volt Typhoon","Wizard Spider","menuPass"),\
mitre_link="https://attack.mitre.org/techniques/T1021/001/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1021/001
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto

[[T1203] Exploitation for Client Execution]
search = `indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") AND (Image= "\winword.exe" OR Image= "\excel.exe" OR Image= "\powerpnt.exe") AND (CommandLine= "macro" OR CommandLine= "automation" OR CommandLine= "shellcode") AND ParentCommandLine= "open*"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Office Application Process Execution",\
mitre_category="Execution",\
mitre_technique="Exploitation for Client Execution",\
mitre_technique_id="T1203",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
cve=mvappend("CVE-2020-0938","CVE-2020-1020"),\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1203/",\
creator="Cpl Iverson",\
upload_date="2024-12-11",\
last_modify_date="2024-12-11",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1203/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto

[[T1204.001] Malicious Link - Files downloaded from links and then executed.]
search = `indextime` `sysmon` EventCode=11\
| search file_path IN ("/Downloads/", "/Temp/")\
| stats count by file_name file_path user\
| where file_name LIKE "%.exe" OR file_name LIKE "%.zip" OR file_name LIKE "%.js" OR file_name LIKE "%.docm"\
| eval hunting_trigger="Analytic 1 - Files downloaded from links and then executed.",\
mitre_category="Execution",\
mitre_technique="User Execution",\
mitre_technique_id="T1204",\
mitre_subtechnique="Malicious Link", \
mitre_subtechnique_id="T1204.001",\
cve="CVE-2020-11023",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1204/001",\
creator="Cpl Iverson",\
upload_date="2024-12-11",\
last_modify_date="2024-12-11",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1204/001/\
Analytic 1 - Files downloaded from links and then executed.
disabled = 0
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto

[[T1059.004] Command and Scripting Interpreter_Analytic_2]
disabled = 1
search = `indextime` sourcetype=linux_secure OR sourcetype=macos_secure\
| search (command="sh" OR command="bash" OR command="zsh")\
| eval suspicious_process=if(like(command_line, "%.sh" OR "%.bash" OR "%.zsh"), "Yes", "No")\
| where suspicious_process="Yes"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Look for unusual Unix shell process creation.",\
mitre_category="Execution",\
mitre_technique="Command and Scripting Interpreter",\
mitre_technique_id="T1059",\
mitre_subtechnique="Unix Shell",\
mitre_subtechnique_id="T1059.004",\
apt=mvappend("APT41","Aquatic Panda","Rocke","TeamTNT","Volt Typhoon"),\
mitre_link="https://attack.mitre.org/techniques/T1059/004/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1059/004/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto

[Event_ID_4624_saved_search]
search = `wineventlog-security`	EventCode=4624	NOT	(host="DC1"	OR	host="DC2"	OR	\
host="DC…")	NOT	(Account_Name="*$"	OR	Account_Name="ANONYMOUS	LOGON")	NOT	\
(Account_Name="Service_Account")	\
|	eval Account_Domain=(mvindex(Account_Domain,1))	|	\
eval Account_Name=if(Account_Name="-",(mvindex(Account_Name,1)),	Account_Name)	|	\
eval Account_Name=if(Account_Name="*$",(mvindex(Account_Name,1)),	Account_Name)	|	\
eval	_time=strpTime(_Ome,"%Y/%m/%d	%T")	\
|	stats	count	values(Account_Domain)	AS	\
Domain,	values(host)	AS	Host,	dc(host)	AS	Host_Count,	values(Logon_Type)	AS	Logon_Type,	\
values(WorkstaOon_Name)	AS	WS_Name,	values(Source_Network_Address)	AS	Source_IP,	\
values(Process_Name)	AS	Process_Name	by	Account_Name	\
|	where	Host_Count	>	2
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 13 * * *
description = (Login Success)
dispatch.earliest_time = 0
enableSched = 1
schedule_priority = higher
schedule_window = 60

[[T1003.001] OS Credential Dumping_Analytic_2]
search = `indextime` `windows-security` EventCode=4663 ObjectName="\lsass.dmp" \
| where ProcessName IN ("procdump.exe", "rundll32.exe", "taskmgr.exe", "powershell.exe", "wmic.exe", "schtasks.exe", "cmd.exe", "comsvcs.dll")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Unexpected creation of LSASS dump files.",\
mitre_category="Credential_Access",\
mitre_technique="OS Credential Dumping",\
mitre_technique_id="T1003",\
mitre_subtechnique="LSASS Memory",\
mitre_subtechnique_id="T1003.001",\
apt=mvappend("APT1","APT28","APT3","APT32","APT33","APT39","APT41","APT5","Agrius","Aquatic Panda","BRONZE BUTLER","Blue Mockingbird","Cleaver","Earth Lusca","Ember Bear","FIN13","FIN6","FIN8","Fox Kitten","GALLIUM","HAFNIUM","Indrik Spider","Ke3chang","Kimsuky","Leafminer","Leviathan","Magic Hound","Moonstone Sleet","MuddyWater","OilRig","PLATINUM","Play","RedCurl","Sandworm Team","Silence","Threat Group-3390","Volt Typhoon","Whitefly","Wizard Spider"),\
mitre_link="https://attack.mitre.org/techniques/T1003/001/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1003/001
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto

[[T1003.001] OS Credential Dumping_Analytic_3]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1003/001
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` `windows-security` EventCode=4624 TargetUserName="*"\
| eval LogonType=case(Logon_Type=="2", "Interactive", Logon_Type=="3", "Network", Logon_Type=="4", "Batch", Logon_Type=="5", "Service", Logon_Type=="7", "Unlock", Logon_Type=="8", "NetworkCleartext", Logon_Type=="9", "NewCredentials", Logon_Type=="10", "RemoteInteractive", Logon_Type=="11", "CachedInteractive")\
| where LogonType IN ("Interactive", "RemoteInteractive", "NetworkCleartext")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Unusual logon sessions from LSASS memory access.",\
mitre_category="Credential_Access",\
mitre_technique="OS Credential Dumping",\
mitre_technique_id="T1003",\
mitre_subtechnique="LSASS Memory",\
mitre_subtechnique_id="T1003.001",\
apt=mvappend("APT1","APT28","APT3","APT32","APT33","APT39","APT41","APT5","Agrius","Aquatic Panda","BRONZE BUTLER","Blue Mockingbird","Cleaver","Earth Lusca","Ember Bear","FIN13","FIN6","FIN8","Fox Kitten","GALLIUM","HAFNIUM","Indrik Spider","Ke3chang","Kimsuky","Leafminer","Leviathan","Magic Hound","Moonstone Sleet","MuddyWater","OilRig","PLATINUM","Play","RedCurl","Sandworm Team","Silence","Threat Group-3390","Volt Typhoon","Whitefly","Wizard Spider"),\
mitre_link="https://attack.mitre.org/techniques/T1003/001/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1003] OS Credential Dumping - Windows Registry Key Access]
search = `indextime` `windows-security` EventCode=4663 ObjectName="*\SAM" \
| where ProcessName IN ("mimikatz.exe", "procdump.exe", "reg.exe", "powershell.exe", "wmic.exe", "schtasks.exe", "cmd.exe")\
| eval hunting_trigger="Unauthorized registry access to SAM key"\
| eval mitre_category="Credential_Access"\
| eval mitre_technique="Credential Dumping"\
| eval mitre_technique_id="T1003" \
| `image_load_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description host_fqdn process_path driver_loaded driver_is_signed driver_signature driver_signature_status process_id process_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 5-59/15 * * * *
description = Analytic 1 - Unauthorized registry access to SAM key.\
https://attack.mitre.org/techniques/T1003/
dispatch.earliest_time = 1
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto

[[T1007] System Service Discovery]
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="net.exe" OR process_name="tasklist.exe" OR process_name="sc.exe" OR process_name="wmic.exe") AND (process_command_line="*net* start*" OR process_command_line="*tasklist \/svc*" OR process_command_line="*sc* query*" OR process_command_line="wmic* service where*") \
| eval mitre_category="Discovery"\
| eval mitre_technique="System Service Discovery"\
| eval mitre_technique_id="T1007" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 1-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search

[[T1010] Application Window Discovery_Analytic_1]
search = `indextime` `powershell` EventCode="4103" \
| where CommandLine LIKE "%Get-Process%" AND CommandLine LIKE "%mainWindowTitle%"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Suspicious Commands",\
mitre_category="Discovery",\
mitre_technique="Application Window Discovery",\
mitre_technique_id="T1010",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=mvappend("HEXANE","Lazarus Group","Volt Typhoon"),\
mitre_link="https://attack.mitre.org/techniques/T1010/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1010
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto

[[T1010] Application Window Discovery_Analytic_2]
search = `indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") \
| where CommandLine LIKE "%Get-Process%" AND CommandLine LIKE "%mainWindowTitle%"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Suspicious Processes",\
mitre_category="Discovery",\
mitre_technique="Application Window Discovery",\
mitre_technique_id="T1010",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=mvappend("HEXANE","Lazarus Group","Volt Typhoon"),\
mitre_link="https://attack.mitre.org/techniques/T1010/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1010
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto

[[T1012] Query Registry_Analytic_1]
search = `indextime` (`sysmon` EventCode="4103") \
| where CommandLine LIKE "%New-PSDrive%" AND (CommandLine LIKE "%Registry%" OR CommandLine LIKE "%HKEY_CLASSES_ROOT%" OR CommandLine LIKE "%HKCR%")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Suspicious Commands",\
mitre_category="Discovery",\
mitre_technique="Query Registry",\
mitre_technique_id="T1012",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=mvappend("APT32","APT39","APT41","Chimera","Daggerfly","Dragonfly","Fox Kitten","Indrik Spider","Kimsuky","Lazarus Group","OilRig","Stealth Falcon","Threat Group-3390","Turla","Volt Typhoon","ZIRCONIUM"),\
mitre_link="https://attack.mitre.org/techniques/T1012/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2025-03-06",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1012
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto

[[T1012] Query Registry_Analytic_6]
search = `indextime` (`windows-security` EventCode IN (4663, 4656)) AND ObjectType="Key" \
| where ObjectName LIKE "%SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall%" AND (UserAccessList LIKE "%4435%" OR UserAccessList LIKE "%Enumerate sub-keys%" OR UserAccessList LIKE "%4432%" OR UserAccessList LIKE "%Query key value%")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Suspicious Registry",\
mitre_category="Discovery",\
mitre_technique="Query Registry",\
mitre_technique_id="T1012",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=mvappend("APT32","APT39","APT41","Chimera","Daggerfly","Dragonfly","Fox Kitten","Indrik Spider","Kimsuky","Lazarus Group","OilRig","Stealth Falcon","Threat Group-3390","Turla","Volt Typhoon","ZIRCONIUM"),\
mitre_link="https://attack.mitre.org/techniques/T1012/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2025-03-06",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1012
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto

[[T1021.001] Remote Services_Analytic_3]
search = `indextime` `zeek_index`\
| search dest_port=3389 // Default RDP port| stats count by src_ip, dest_ip, dest_port\
| where src_ip!="trusted_ips" AND dest_ip!="internal_servers"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Abnormal RDP Network Connections",\
mitre_category="Lateral_Movement",\
mitre_technique="Remote Services",\
mitre_technique_id="T1021",\
mitre_subtechnique="Remote Desktop Protocol",\
mitre_subtechnique_id="T1021.001",\
apt=mvappend("APT1","APT3","APT39","APT41","APT5","Agrius","Aquatic Panda","Axiom","Blue Mockingbird","Chimera","Cobalt Group","Dragonfly","FIN10","FIN13","FIN6","FIN7","FIN8","Fox Kitten","HEXANE","INC Ransom","Indrik Spider","Kimsuky","Lazarus Group","Leviathan","Magic Hound","OilRig","Patchwork","Silence","Volt Typhoon","Wizard Spider","menuPass"),\
mitre_link="https://attack.mitre.org/techniques/T1021/001/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1021/001
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto

[[T1021.001] Remote Services_Analytic_5]
search = `indextime` `sysmon` EventCode=1 \
| search (parent_process="mstsc.exe" OR parent_process="rdpclip.exe")\
| table _time, host, user, process_name, parent_process, command_line\
| where process_name!="expected_processes"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Unusual processes associated with RDP sessions",\
mitre_category="Lateral_Movement",\
mitre_technique="Remote Services",\
mitre_technique_id="T1021",\
mitre_subtechnique="Remote Desktop Protocol",\
mitre_subtechnique_id="T1021.001",\
apt=mvappend("APT1","APT3","APT39","APT41","APT5","Agrius","Aquatic Panda","Axiom","Blue Mockingbird","Chimera","Cobalt Group","Dragonfly","FIN10","FIN13","FIN6","FIN7","FIN8","Fox Kitten","HEXANE","INC Ransom","Indrik Spider","Kimsuky","Lazarus Group","Leviathan","Magic Hound","OilRig","Patchwork","Silence","Volt Typhoon","Wizard Spider","menuPass"),\
mitre_link="https://attack.mitre.org/techniques/T1021/001/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1021/001/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto

[[T1046] Network Service Discovery_Analytic_1]
search = `indextime` sourcetype='firewall_logs' dest_ip='internal_subnet' \
| stats dc(dest_port) as pcount by src_ip \
| where pcount >5\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Identifying Port Scanning Activity",\
mitre_category="Discovery",\
mitre_technique="Network Service Discovery",\
mitre_technique_id="T1046",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=mvappend("APT32","APT39","APT41","Agrius","BackdoorDiplomacy","BlackTech","Chimera","Cobalt Group","DarkVishnya","Ember Bear","FIN13","FIN6","Fox Kitten","INC Ransom","Lazarus Group","Leafminer","Magic Hound","Naikon","OilRig","RedCurl","Rocke","Suckfly","TeamTNT","Threat Group-3390","Tropic Trooper","Volt Typhoon","menuPass"),\
mitre_link="https://attack.mitre.org/techniques/T1046/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 14-59/15 * * * *
description = https://attack.mitre.org/techniques/T1046/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto

[[T1047] Windows Management Instrumentation - Monitor for WMI over RP]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 14-59/15 * * * *
description = https://attack.mitre.org/techniques/T1047/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` `windows-security` OR `sysmon` OR sourcetype=WinEventLog:Microsoft-Windows-Security-Auditing\
| eval ProcessName=lower(ProcessName), CommandLine=lower(CommandLine)\
| search ProcessName IN ("wmic.exe", "powershell.exe", "wmiprvse.exe", "wmiadap.exe", "scrcons.exe", "wbemtool.exe")\
| search CommandLine IN ("process call create", "win32_process", "win32_service", "shadowcopy delete", "network")\
| search (`windows-security` EventCode=4688) OR (`sysmon` EventCode=1)\
| join ProcessName [ search index=windows_logs `sysmon` EventCode=3 | eval DestinationIp = coalesce(DestinationIp, dest_ip)\
| eval DestinationPort = coalesce(DestinationPort, dest_port)\
| search DestinationPort IN (135, 5985, 5986) ]\
| stats count by _time, ComputerName, User, ProcessName, CommandLine, DestinationIp, DestinationPort, dest, src_ip, dest_ip\
| eval alert_message="Suspicious WMI Network Connection Detected: " + ProcessName + " executed by " + User + " on " + ComputerName + " with command: " + CommandLine + " connecting to " + DestinationIp + ":" + DestinationPort\
| where NOT (User="SYSTEM" OR ProcessName="wmiprvse.exe" OR (src_ip="trusted_ip_range" AND DestinationIp="trusted_ip_range"))\
| table _time, ComputerName, User, ProcessName, CommandLine, DestinationIp, DestinationPort, src_ip, dest_ip, alert_message\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Analytic 1 - Monitor for WMI over RPC (DCOM) connections. Look for the string RPCSS within the initial RPC connection on port 135/tcp." ,\
mitre_category="Execution",\
mitre_technique="Windows Management Instrumentation",\
mitre_technique_id="T1047",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="APT29",\
mitre_link="https://attack.mitre.org/techniques/T1047/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2025-01-12",\
last_modify_date="2025-01-12",\
mitre_version="v16",\
priority="medium"\
| `wmi_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description host_fqdn user_name wmi_consumer_name wmi_consumer_destination mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1047] Windows Management Instrumentation_Analytic_1]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 14-59/15 * * * *
description = https://attack.mitre.org/techniques/T1047/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` (`windows-security` OR `sysmon`) \
| eval CommandLine=coalesce(CommandLine, ParentCommandLine)\
| eval ProcessName=lower(ProcessName), CommandLine=lower(CommandLine)\
| search ProcessName IN ("wmic.exe", "powershell.exe", "wbemtool.exe", "wmiprvse.exe", "wmiadap.exe", "scrcons.exe")\
| search CommandLine IN ("process call create", "shadowcopy delete", "process start", "createobject")\
| stats count by _time, ComputerName, User, ProcessName, CommandLine, ParentProcessName, ParentCommandLine, dest, src_ip, dest_ip| eval alert_message="Suspicious WMI activity detected: " + ProcessName + " executed by " + User + " on " + ComputerName + " with command: " + CommandLine\
| where NOT (User="SYSTEM" OR ProcessName="wmiprvse.exe" OR CommandLine="wmic shadowcopy delete" AND src_ip="trusted_ip_range")\
| table _time, ComputerName, User, ProcessName, CommandLine, ParentProcessName, ParentCommandLine, src_ip, dest_ip, alert_message\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Look for wmic.exeexecution with arguments indicative of remote process creation.",\
mitre_category="Execution",\
mitre_technique="Windows Management Instrumentation",\
mitre_technique_id="T1047",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=mvappend("APT29","APT32","APT41","Aquatic Panda","Blue Mockingbird","Chimera","Cinnamon Tempest","Deep Panda","Earth Lusca","Ember Bear","FIN13","FIN6","FIN7","FIN8","GALLIUM","Gamaredon Group","INC Ransom","Indrik Spider","Lazarus Group","Leviathan","Magic Hound","MuddyWater","Mustang Panda","Naikon","OilRig","Sandworm Team","Stealth Falcon","TA2541","Threat Group-3390","ToddyCat","Volt Typhoon","Windshift","Wizard Spider","menuPass"),\
mitre_link="https://attack.mitre.org/techniques/T1047/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1047] Windows Management Instrumentation_Analytic_3]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 14-59/15 * * * *
description = https://attack.mitre.org/techniques/T1047/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` `windows-security` (EventCode=4688 OR EventCode=4656 OR EventCode=4103 OR EventCode=800) \
| eval command_line = coalesce(CommandLine, ParentCommandLine) \
| where (ProcessName="wmic.exe" AND (command_line LIKE "%/node:%" OR command_line LIKE "%process call create%"))OR (command_line LIKE "Invoke-WmiMethod" OR command_line LIKE "Get-WmiObject" OR command_line LIKE "gwmi" OR command_line LIKE "win32_process")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Detect wmic.exeprocess creation with command lines containing process call create or /node:.",\
mitre_category="Execution",\
mitre_technique="Windows Management Instrumentation",\
mitre_technique_id="T1047",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=mvappend("APT29","APT32","APT41","Aquatic Panda","Blue Mockingbird","Chimera","Cinnamon Tempest","Deep Panda","Earth Lusca","Ember Bear","FIN13","FIN6","FIN7","FIN8","GALLIUM","Gamaredon Group","INC Ransom","Indrik Spider","Lazarus Group","Leviathan","Magic Hound","MuddyWater","Mustang Panda","Naikon","OilRig","Sandworm Team","Stealth Falcon","TA2541","Threat Group-3390","ToddyCat","Volt Typhoon","Windshift","Wizard Spider","menuPass"),\
mitre_link="https://attack.mitre.org/techniques/T1047/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1047] Windows Management Instrumentation_Analytic_4]
search = `indextime` sourcetype="WinEventLog:Microsoft-Windows-WMI-Activity/Operational" (EventCode=5861 OR EventCode=5857 OR EventCode=5858) \
| eval CommandLine = coalesce(CommandLine, ParentCommandLine) \
| where (EventCode=5861 AND (CommandLine LIKE "create" OR CommandLine LIKE "process")) OR (EventCode=5857 AND (CommandLine LIKE "exec" OR CommandLine LIKE "invoke")) OR (EventCode=5858 AND (CommandLine LIKE "payload" OR CommandLine LIKE "wmic"))\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="WMI object creation events",\
mitre_category="Execution",\
mitre_technique="Windows Management Instrumentation",\
mitre_technique_id="T1047",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=mvappend("APT29","APT32","APT41","Aquatic Panda","Blue Mockingbird","Chimera","Cinnamon Tempest","Deep Panda","Earth Lusca","Ember Bear","FIN13","FIN6","FIN7","FIN8","GALLIUM","Gamaredon Group","INC Ransom","Indrik Spider","Lazarus Group","Leviathan","Magic Hound","MuddyWater","Mustang Panda","Naikon","OilRig","Sandworm Team","Stealth Falcon","TA2541","Threat Group-3390","ToddyCat","Volt Typhoon","Windshift","Wizard Spider","menuPass"),\
mitre_link="https://attack.mitre.org/techniques/T1047/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 14-59/15 * * * *
description = https://attack.mitre.org/techniques/T1047/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto

[[T1059.001] Command and Scripting Interpreter: PowerShell -  Module Load]
search = `indextime` `sysmon`\
| search EventCode=7 ImageLoaded IN ("C:\Windows\System32\System.Management.Automation.dll", "C:\Windows\System32\powershell.exe")\
| where suspicious_cmds="Yes"\
| eval mitre_category="Execution"\
| eval mitre_technique="Command and Scripting Interpreter"\
| eval mitre_technique_id="T1059" \
| eval mitre_subtechnique="Powershell"\
| eval mitre_subtechnique_id="T1059.001"\
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = Command and Scripting Interpreter: PowerShell\
Module Load\
Analytic 1 - Processes loading PowerShell assemblies
dispatch.earliest_time = 1
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto

[[T1059.001] Command and Scripting Interpreter: PowerShell - Command Execution]
search = `indextime` `powershell`\
| search EventCode=4104\
| eval suspicious_cmds=if(like(Message, "%-EncodedCommand%") OR like(Message, "%Invoke-Expression%") OR like(Message, "%IEX%") OR like(Message, "%DownloadFile%"), "Yes", "No")\
| where suspicious_cmds="Yes"\
| eval mitre_category="Execution"\
| eval mitre_technique="Command and Scripting Interpreter"\
| eval mitre_technique_id="T1059" \
| eval mitre_subtechnique="Powershell"\
| eval mitre_subtechnique_id="T1059.001"\
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = Command and Scripting Interpreter: PowerShell\
Command Execution\
Analytic 1 - Look for unusual PowerShell execution.
dispatch.earliest_time = 1
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto

[[T1204.002] User Execution: Malicious File - File Creation (A2)]
search = `indextime` `sysmon` EventCode=11\
| search file_path IN ("/Downloads/", "/Temp/", "/Desktop/")\
| stats count by file_name file_extension file_path user\
| where file_extension IN ("doc", "docx", "pdf", "xls", "rtf", "exe", "scr", "lnk", "pif", "cpl", "zip")\
| eval mitre_category="Execution"\
| eval mitre_technique="User Execution"\
| eval mitre_technique_id="T1204" \
| eval mitre_subtechnique="Malicious File"\
| eval mitre_subtechnique_id="T1204.002" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1204/002/\
Analytic 2 - New file creation in unusual directories.
disabled = 0
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto

[[T1204.002] User Execution: Malicious File - Process Creation]
search = `indextime` (`windows` EventCode=4688) OR (`sysmon` EventCode=1)\
| search process_name IN ("WINWORD.EXE", "EXCEL.EXE", "PDFReader.exe", "7z.exe", "powershell.exe", "cmd.exe")\
| stats count by process_name parent_process_name command_line user\
| where parent_process_name IN ("explorer.exe", "outlook.exe", "thunderbird.exe")\
| eval mitre_category="Execution"\
| eval mitre_technique="User Execution"\
| eval mitre_technique_id="T1204" \
| eval mitre_subtechnique="Malicious File"\
| eval mitre_subtechnique_id="T1204.002" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1204/002/\
Analytic 1 - Processes created from malicious files.
disabled = 0
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto

[[T1552] Unsecured Credentials_Analytic_4]
search = `indextime` (`windows-security` EventCode=4688 CommandLine="password" OR CommandLine="credential") OR(`sysmon` EventCode=1 CommandLine="password" OR CommandLine="credential") OR(index=os sourcetype="linux_audit" action="execve" CommandLine="password" OR CommandLine="credential") OR(index=os sourcetype="macos_secure" event_type="execve" CommandLine="password" OR CommandLine="credential")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="New processes with parameters indicating credential searches.",\
mitre_category="Credential_Access",\
mitre_technique="Unsecured Credentials",\
mitre_technique_id="T1552",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt="Volt Typhoon",\
mitre_link="https://attack.mitre.org/techniques/T1552/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 7-59/15 * * * *
description = https://attack.mitre.org/techniques/T1552/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto

[[T1552] Unsecured Credentials_Analytic_2]
search = `indextime` (`powershell` EventCode=4104) OR(index=os sourcetype="linux_secure" action="execve") OR(index=os sourcetype="macos_secure" event_type="execve") \
| where match(CommandLine, "(?i)(password|credential|secret|key|token|login|passwd|passphrase)")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Suspicious commands or regular expressions indicating credential search.",\
mitre_category="Credential_Access",\
mitre_technique="Unsecured Credentials",\
mitre_technique_id="T1552",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt="Volt Typhoon",\
mitre_link="https://attack.mitre.org/techniques/T1552/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 7-59/15 * * * *
description = https://attack.mitre.org/techniques/T1552/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto

[[T1552] Unsecured Credentials_Analytic_6]
search = `indextime` sourcetype="WinEventLog:Microsoft-Windows-Security-Auditing" EventCode=4663 ObjectType="Registry" (ObjectName="password" OR ObjectName="credential") | eval AccessAttempt=case(    AccessMask="0x1", "Read",    AccessMask="0x2", "Write",    AccessMask="0x3", "Read/Write",    AccessMask="0x4", "Delete",    true(), "Unknown")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Unauthorized access to registry keys associated with credentials.",\
mitre_category="Credential_Access",\
mitre_technique="Unsecured Credentials",\
mitre_technique_id="T1552",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt="Volt Typhoon",\
mitre_link="https://attack.mitre.org/techniques/T1552/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 7-59/15 * * * *
description = https://attack.mitre.org/techniques/T1552/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto

[[T1053] Scheduled Task - FileAccess]
search = `indextime` `sysmon` event_id=11 process_path!="C:\\WINDOWS\\system32\\svchost.exe" (file_path="C:\\Windows\\System32\\Tasks\\*" OR file_path="C:\\Windows\\Tasks\\*")\
| eval mitre_technique="Scheduled Task",\
mitre_technique_id="T1053",\
apt="Volt Typhoon"\
| `file_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description host_fqdn process_path file_path process_guid process_id mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
disabled = 0
enableSched = 1
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 9-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search

[[T1559.001] Component Object Model - (sysmon)]
search = `indextime` `sysmon` RuleName="technique_id=T1559.001,technique_name=Component Object Model"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="sysmon - Windows Component Object Model (COM) for local code execution.",\
mitre_category="Execution",\
mitre_technique="Inter-Process Communication",\
mitre_technique_id="T1559",\
mitre_subtechnique="Component Object Model", \
mitre_subtechnique_id="T1559.001",\
apt=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = Windows Component Object Model (COM) for local code execution\
https://attack.mitre.org/techniques/T1559/001/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto

[[T1046] Suspicious Network Detection - Syslog]
search = `indextime` `syslog` (kern.* /Suspicious network connection/)\
| eval mitre_category="Discovery",\
mitre_technique="Network Service Discovery",\
mitre_technique_id="T1046",\
apt="Volt Typhoon",\
hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 13-59/15 * * * *
description = Suspicious Network Detection\
https://blog.frohrer.com/selecting-and-creating-detection-rules-with-syslog-and-splunk/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto

[[T1105] Uncommon Network Connection Initiated By Certutil.EXE]
search = `indextime` `windows` AND (Image="*\\certutil.exe" AND Initiated="true" AND (DestinationPort="80" OR DestinationPort="135" OR DestinationPort="443" OR DestinationPort="445"))\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Detects a network connection initiated by the certutil.exe utility.",\
mitre_category="Command_And_Control ",\
mitre_technique="Ingress Tool Transfer",\
mitre_technique_id="T1105",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=mvappend("Volt Typhoon","APT41"),\
mitre_link="https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2025-01-07",\
last_modify_date="2025-01-07",\
mitre_version="v16",\
priority="high"\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 14-59/15 * * * *
description = https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml?source=post_page-----379a6b950492--------------------------------
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto

[[T1069.002] Permission Groups Discovery_Analytic_1]
search = `indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") ((Image= "net.exe" OR Image= "net1.exe") AND CommandLine="group/domain*")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Local Permission Group Discovery - Net",\
mitre_category="Discovery",\
mitre_technique="Permission Groups Discovery",\
mitre_technique_id="T1069",\
mitre_subtechnique="Domain Groups",\
mitre_subtechnique_id="T1069.002",\
apt=mvappend("Dragonfly","FIN7","INC Ransom","Inception","Ke3chang","LAPSUS$","OilRig","ToddyCat","Turla","Volt Typhoon"),\
mitre_link="https://attack.mitre.org/techniques/T1069/002/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 8-59/15 * * * *
description = https://attack.mitre.org/techniques/T1069/002/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto

[[T1083] File and Directory Discovery - (sysmon)]
search = `indextime` `sysmon` RuleName="technique_id=T1083,technique_name=File and Directory Discovery"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="sysmon - Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.",\
mitre_category="Discovery",\
mitre_technique="File and Directory Discovery",\
mitre_technique_id="T1083",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt=mvappend("Volt Typhoon","Fox Kitten"),\
mitre_link="https://attack.mitre.org/techniques/T1083/",\
creator="Cpl Iverson",\
upload_date="2024/12/03",\
last_modify_date="2024/12/03",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id mitre_subtechnique_id mitre_subtechnique apt hunting_trigger mitre_link upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.\
https://attack.mitre.org/techniques/T1083/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto

[[T1204] User Execution - (sysmon)]
search = `indextime` `sysmon` RuleName="technique_id=T1204,technique_name=User Execution"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="sysmon - specific actions by a user in order to gain execution.",\
mitre_category="Execution",\
mitre_technique="User Execution",\
mitre_technique_id="T1204",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = specific actions by a user in order to gain execution\
https://attack.mitre.org/techniques/T1204/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto

[[T1552] Unsecured Credentials_Analytic_3]
search = `indextime` (`windows-security` EventCode=4663 ObjectName="password" OR ObjectName="credential") OR(`sysmon` EventCode=11 TargetObject="password" OR TargetObject="credential") OR(index=os sourcetype="linux_audit" action="open" filepath IN ("password", "credential", "passwd", "shadow", ".pem", ".key")) OR(index=os sourcetype="macos_secure" event_type="open" file_path IN ("password", "credential", "passwd", "shadow", ".pem", ".key"))\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Multiple file reads in a short period or searching for credential material.",\
mitre_category="Credential_Access",\
mitre_technique="Unsecured Credentials",\
mitre_technique_id="T1552",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt="Volt Typhoon",\
mitre_link="https://attack.mitre.org/techniques/T1552/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 7-59/15 * * * *
description = https://attack.mitre.org/techniques/T1552/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto

[[T1203] Exploitation for Client Execution - Office Application Process Execution]
search = `indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") AND (Image= "\winword.exe" OR Image= "\excel.exe" OR Image= "\powerpnt.exe") AND (CommandLine= "macro" OR CommandLine= "automation" OR CommandLine= "shellcode") AND ParentCommandLine= "open*"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Office Application Process Execution",\
mitre_category="Execution",\
mitre_technique="Exploitation for Client Execution",\
mitre_technique_id="T1203",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
cve=mvappend("CVE-2020-0938","CVE-2020-1020"),\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1203/",\
creator="Cpl Iverson",\
upload_date="2024-12-11",\
last_modify_date="2024-12-11",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1203/\
Analytic 1 - Office Application Process Execution
disabled = 0
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto

[[T1068] Privilege Escalation - Process Creation]
search = `indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") ((Image="C:\Windows\System32\spoolsv.exe" OR Image="C:\Windows\System32\conhost.exe") AND ParentImage= "C:\Windows\System32\cmd.exe")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic is oriented around looking for an invocation of either spoolsv.exe or conhost.exe by a user, thus alerting us of any potentially malicious activity. A common way of escalating privileges in a system is by externally invoking and exploiting these executables, both of which are legitimate Windows applications.",\
mitre_category="Privilege_Escalation",\
mitre_technique="Exploitation for Privilege Escalation",\
mitre_technique_id="T1068",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=mvappend("APT28","APT29","APT32","APT33","BITTER","Cobalt Group","FIN6","FIN8","LAPSUS$","MoustachedBouncer","PLATINUM","Scattered Spider","Threat Group-3390","Tonto Team","Turla","Volt Typhoon","Whitefly","ZIRCONIUM"),\
mitre_link="https://attack.mitre.org/techniques/T1068/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `file_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path file_path process_guid process_id mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1068/\
Unusual Child Process for spoolsv.exe or connhost.exe
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto

[[T1003.001] OS Credential Dumping_Analytic_5]
search = `indextime` (`sysmon` EventCode="10") AND TargetImage= "*lsass.exe" AND SourceImage IN ("*mimikatz.exe", "*procdump.exe", "*rundll32.exe", "*taskmgr.exe", "*powershell.exe")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Suspicious process access to LSASS memory.",\
mitre_category="Credential_Access",\
mitre_technique="OS Credential Dumping",\
mitre_technique_id="T1003",\
mitre_subtechnique="LSASS Memory",\
mitre_subtechnique_id="T1003.001",\
apt=mvappend("APT1","APT28","APT3","APT32","APT33","APT39","APT41","APT5","Agrius","Aquatic Panda","BRONZE BUTLER","Blue Mockingbird","Cleaver","Earth Lusca","Ember Bear","FIN13","FIN6","FIN8","Fox Kitten","GALLIUM","HAFNIUM","Indrik Spider","Ke3chang","Kimsuky","Leafminer","Leviathan","Magic Hound","Moonstone Sleet","MuddyWater","OilRig","PLATINUM","Play","RedCurl","Sandworm Team","Silence","Threat Group-3390","Volt Typhoon","Whitefly","Wizard Spider"),\
mitre_link="https://attack.mitre.org/techniques/T1003/001/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1003/001
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto

[[T1012] Query Registry_Analytic_4]
search = `indextime` ((`sysmon` EventCode="1") OR (`windows-security` EventCode="4688"))\
| where (Image LIKE "%reg.exe%" AND ParentImage LIKE "%cmd.exe%")\
| rename ProcessParentGuid as guid\
| join type=inner guid[ \
| search ((`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") AND (Image LIKE "%cmd.exe%" AND ParentImage NOT LIKE "%explorer.exe%")) \
| rename ProcessGuid as guid ]\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="reg.exe spawned from suspicious cmd.exe",\
mitre_category="Discovery",\
mitre_technique="Query Registry",\
mitre_technique_id="T1012",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=mvappend("APT32","APT39","APT41","Chimera","Daggerfly","Dragonfly","Fox Kitten","Indrik Spider","Kimsuky","Lazarus Group","OilRig","Stealth Falcon","Threat Group-3390","Turla","Volt Typhoon","ZIRCONIUM"),\
mitre_link="https://attack.mitre.org/techniques/T1012/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1012
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto

[[T1068] Exploitation for Privilege Escalation - Unusual Child Process for spoolsv.exe]
search = `indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") (Image="C:\Windows\System32\spoolsv.exe" OR Image="C:\Windows\System32\conhost.exe") AND ParentImage= "C:\Windows\System32\cmd.exe"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Unusual Child Process for spoolsv.exe or connhost.exe",\
mitre_category="Privilege_Escalation",\
mitre_technique="Exploitation for Privilege Escalation",\
mitre_technique_id="T1068",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
cve="CVE-2020-1027",\
apt=mvappend("APT28","APT29","APT32","APT33","BITTER","Cobalt Group","FIN6","FIN8","LAPSUS$","MoustachedBouncer","PLATINUM","Scattered Spider","Threat Group-3390","Tonto Team","Turla","Volt Typhoon","Whitefly","ZIRCONIUM"),\
mitre_link="https://attack.mitre.org/techniques/T1068/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1068/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto

[[T1112] Modify Registry_Analytic_6]
search = `indextime` ((`windows-security` EventCode="4657")(ObjectValueName="SafeDllSearchMode" value="0")) OR \
((`sysmon` EventCode="13") EventType="SetValue" TargetObject="*SafeDllSearchMode" Details="DWORD (0x00000000)")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Registry Edit with Creation of SafeDllSearchMode Key Set to 0",\
mitre_category="Unknown",\
mitre_technique="Modify Registry",\
mitre_technique_id="T1112",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=mvappend("APT19","APT32","APT38","APT41","Aquatic Panda","Blue Mockingbird","Dragonfly","Earth Lusca","Ember Bear","FIN8","Gamaredon Group","Gorgon Group","Indrik Spider","Kimsuky","LuminousMoth","Magic Hound","Patchwork","Saint Bear","Silence","TA505","Threat Group-3390","Turla","Volt Typhoon","Wizard Spider"),\
mitre_link="https://attack.mitre.org/techniques/T1112/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 2-15/15 * * * *
description = https://attack.mitre.org/techniques/T1112/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto

[[T1007] System Service Discovery_Analytic_1]
search = `indextime` (`windows-security` EventCode="4688") OR (`sysmon` EventCode="1") \
| where ((CommandLine LIKE "%sc%" AND CommandLine LIKE "%query%") OR    (CommandLine LIKE "%tasklist%" AND CommandLine LIKE "%/svc%") OR   (CommandLine LIKE "%systemctl%" AND CommandLine LIKE "%--type=service%") OR   (CommandLine LIKE "%net%" AND CommandLine LIKE "%start%"))\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Suspicious Processes",\
mitre_category="Discovery",\
mitre_technique="System Service Discovery",\
mitre_technique_id="T1007",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=mvappend("APT1","Aquatic Panda","BRONZE BUTLER","Chimera","Earth Lusca","Indrik Spider","Ke3chang","Kimsuky","OilRig","Poseidon Group","TeamTNT","Turla","Volt Typhoon","admin@338"),\
mitre_link="https://attack.mitre.org/techniques/T1007/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1007
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto

[[T1218.003] CMSTP]
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="CMSTP.exe") OR (Image="C:\Windows\System32\CMSTP.exe")\
| where (!cidrmatch("10.0.0.0/8", SourceIp) AND !cidrmatch("192.168.0.0/16", SourceIp) AND !cidrmatch("172.16.0.0/12", SourceIp))\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles.",\
mitre_category="Defense_Evasion",\
mitre_technique="System Binary Proxy Execution",\
mitre_technique_id="T1218",\
mitre_subtechnique="CMSTP", \
mitre_subtechnique_id="T1218.003",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1218/003/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto

[[T1197] BITS Jobs - (sysmon)]
search = `indextime` `sysmon` RuleName="technique_id=T1197,technique_name=BITS"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="sysmon - Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks.",\
mitre_category=mvappend("Defense_Evasion","Persistence"),\
mitre_technique="BITS Jobs",\
mitre_technique_id="T1197",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks.\
\
https://attack.mitre.org/techniques/T1197/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto

[[T1490] Inhibit System Recovery - (sysmon)]
search = `indextime` `sysmon` RuleName="technique_id=T1490,technique_name=Inhibit System Recovery"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="sysmon - Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.",\
mitre_category="Impact",\
mitre_technique="Inhibit System Recovery", \
mitre_technique_id="T1490", \
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt="",\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger apt mitre_subtechnique_id mitre_subtechnique\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = Adversaries may delete or remove built-in data\
https://attack.mitre.org/techniques/T1490/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto

[[T1059.001][t1021.006] Remote PowerShell Session (PS Module)]
search = `indextime` `powershell` AND (ContextInfo="* \= ServerRemoteHost *" AND ContextInfo="*wsmprovhost.exe*") AND  NOT (ContextInfo="*\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive\\Microsoft.PowerShell.Archive.psm1*")\
``` name: Remote PowerShell Session (PS Module) ```\
``` uuid: 96b9f619-aa91-478f-bacb-c3e50f8df575 ```\
``` author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton ```\
``` licence: DRL 1.1 ```\
| eval mitre_category=mvappend("Lateral_Movement","Execution")\
| eval mitre_technique=mvappend("Remote Services","Command and Scripting Interpreter")\
| eval mitre_technique_id=mvappend("T1059","T1021")\
| eval mitre_subtechnique_id=mvappend("T1059.001","T1021.006")\
| eval mitre_subtechnique=mvappend("PowerShell","Windows Remote Management")\
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */8 * * * *
description = SigmaHQ - Detects remote PowerShell sessions\
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto

[[T1548] Local 7 pwd]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 13-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime`  (`zeek` OR `syslog`) facility="LOCAL7" tunnel_state="DMI-5-SYNC_NEEDED" AND message="*username*"\
| dedup login_dmi5\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.",\
mitre_category=mvappend("Privilege Escalation","Defense Evasion"),\
mitre_technique="Abuse Elevation Control Mechanism",\
mitre_technique_id="T1548",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1548/",\
creator="Cpl Iverson",\
upload_date="2025-02-10",\
last_modify_date="2025-02-10",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn login_dmi5 user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1548] Local 7 pwd VPN Login]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 13-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`zeek` OR `syslog`) facility=LOCAL7 AND tunnel_state=SEC_LOGIN-5-WEBLOGIN-SUCCESS\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.",\
mitre_category=mvappend("Privilege Escalation","Defense Evasion"),\
mitre_technique="Abuse Elevation Control Mechanism",\
mitre_technique_id="T1548",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1548/",\
creator="Cpl Iverson",\
upload_date="2025-02-10",\
last_modify_date="2025-02-10",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn login_dmi5 user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1105] Hidden Powershell]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `powershell` (process_name="powershell.exe" OR command_line="*powershell.exe*") AND (command_line="*-W Hidden*" AND command_line="*Invoke-WebRequest*" AND command_line="*/uploads/*")\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="INFOSTEALER - Suspicious PowerShell web download with hidden window",\
    mitre_category="Command and Control",\
    mitre_technique="Ingress Tool Transfer",\
    mitre_technique_id="T1105",\
    mitre_subtechnique="",\
    mitre_subtechnique_id="",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1105/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-16",\
    last_modify_date="2025-03-16",\
    mitre_version="v16",\
    priority="High"\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1218.005] Suspicious mshta execution with remote URL detected]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` (process_name="mshta.exe" OR command_line="*mshta*") AND (command_line="*http://*" OR command_line="*https://*")\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="INFOSTEALER - Suspicious mshta execution with remote URL detected",\
    mitre_category="Execution",\
    mitre_technique="Mshta",\
    mitre_technique_id="T1218.005",\
    mitre_subtechnique="",\
    mitre_subtechnique_id="",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1218/005/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-16",\
    last_modify_date="2025-03-16",\
    mitre_version="v16",\
    priority="High"\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1082] PowerShell enumeration using Get-Process and mainWindowTitle]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `powershell` EventCode="4103" \
| where CommandLine LIKE "%Get-Process%" AND CommandLine LIKE "%mainWindowTitle%"\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="INFOSTEALER - PowerShell enumeration using Get-Process and mainWindowTitle",\
    mitre_category="Discovery",\
    mitre_technique="System Information Discovery",\
    mitre_technique_id="T1082",\
    mitre_subtechnique="",\
    mitre_subtechnique_id="",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1082/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-16",\
    last_modify_date="2025-03-16",\
    mitre_version="v16",\
    priority="Medium"\
| eval indextime = _indextime \
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1010] Suspicious Process Enumeration via Get-Process and mainWindowTitle]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`sysmon` EventCode=1) OR (`windows` EventCode=4688) OR (`powershell` EventCode=4103)\
| where CommandLine LIKE "%Get-Process%" AND CommandLine LIKE "%mainWindowTitle%"\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="INFOSTEALER - T1010 - Analytic 1 - Suspicious Process Enumeration",\
    mitre_category="Discovery",\
    mitre_technique="Application Window Discovery",\
    mitre_technique_id="T1010",\
    mitre_subtechnique="",\
    mitre_subtechnique_id="",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1010/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-16",\
    last_modify_date="2025-03-16",\
    mitre_version="v16",\
    priority="Medium",\
    custom_category="infostealer"\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category\
| collect `jarvis_index`

[[T1570] Suspicious Named Pipe Creation (C2 / Browser Exfil)]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` EventCode=17\
| where match(Pipe, ".*\\\\pipe\\\\(msse-|postex|srvsvc).*") OR Pipe="*Chrome*" OR Pipe="*Edge*" OR Pipe="*sqlite*"\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="INFOSTEALER - T1570 - Suspicious Named Pipe Activity (C2 / Browser Exfil)",\
    mitre_category="Lateral Movement",\
    mitre_technique="Lateral Tool Transfer",\
    mitre_technique_id="T1570",\
    mitre_subtechnique="",\
    mitre_subtechnique_id="",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1570/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-20",\
    last_modify_date="2025-03-20",\
    mitre_version="v16",\
    priority="Medium",\
    custom_category="infostealer"\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name Pipe Image ProcessId ProcessGuid original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category\
| collect `jarvis_index`

[[T1012] Spike in Registry Access (Potential Pre-Reverse Shell Activity)]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` EventCode=13\
| timechart span=1m count by Image\
| eventstats avg(count) as avg_count, stdev(count) as stddev_count\
| eval threshold=(avg_count + (2 * stddev_count))\
| where count > threshold\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="INFOSTEALER - T1012 - Registry Spike (Anomaly)",\
    mitre_category="Discovery",\
    mitre_technique="Query Registry",\
    mitre_technique_id="T1012",\
    mitre_subtechnique="",\
    mitre_subtechnique_id="",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1012/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-20",\
    last_modify_date="2025-03-20",\
    mitre_version="v16",\
    priority="Medium",\
    custom_category="infostealer"\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime count threshold Image mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category\
| collect `jarvis_index`

[[T1059] Python Script Execution Logging to “results” File (Suspicious Scripting Activity)]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` EventCode=1\
| search Image="*python*.exe" CommandLine="*results*"\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="INFOSTEALER - T1059 - Analytic 1 - Suspicious Script Execution",\
    mitre_category="Execution",\
    mitre_technique="Command and Scripting Interpreter",\
    mitre_technique_id="T1059",\
    mitre_subtechnique="",\
    mitre_subtechnique_id="",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1059/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-16",\
    last_modify_date="2025-03-16",\
    mitre_version="v16",\
    priority="Medium"\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1012] Registry Modification Spike Indicative of Enumeration or Pre-Execution Behavior]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` EventCode=13\
| stats count by _time, TargetObject\
| where count > 5\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="INFOSTEALER - T1012 - Analytic 1 - Suspicious Registry Queries",\
    mitre_category="Discovery",\
    mitre_technique="Query Registry",\
    mitre_technique_id="T1012",\
    mitre_subtechnique="",\
    mitre_subtechnique_id="",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1012/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-16",\
    last_modify_date="2025-03-16",\
    mitre_version="v16",\
    priority="Medium"\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1555.003] Unauthorized Access to Browser Credential Stores (SQLite: Cookies, History, Web Data)]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` EventCode=10\
| search TargetFilename="*Cookies" OR TargetFilename="*History" OR TargetFilename="*Web Data"\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="INFOSTEALER - T1555.003 - Analytic 1 - Unauthorized Browser Data Access",\
    mitre_category="Credential Access",\
    mitre_technique="Credentials from Password Stores",\
    mitre_technique_id="T1555",\
    mitre_subtechnique="Web Browsers",\
    mitre_subtechnique_id="T1555.003",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1555/003/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-20",\
    last_modify_date="2025-03-20",\
    mitre_version="v16",\
    priority="High",\
    custom_category="infostealer",\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1059.006] Detect Execution of Python Infostealer]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `windows` EventCode=4688\
| search NewProcessName="*python.exe" CommandLine="*results*"\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="INFOSTEALER - T1059.006 - Suspicious Python Execution",\
    mitre_category="Execution",\
    mitre_technique="Command and Scripting Interpreter",\
    mitre_technique_id="T1059",\
    mitre_subtechnique="Python",\
    mitre_subtechnique_id="T1059.006",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1059/006/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-20",\
    last_modify_date="2025-03-20",\
    mitre_version="v16",\
    priority="High",\
    custom_category="infostealer"\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name NewProcessName ProcessId ParentProcessName ParentProcessId CommandLine mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category\
| collect `jarvis_index`

[[T1555.003] Detect Access to Browser Credential Storage]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `windows` EventCode=4663\
| search ObjectName="*Cookies" OR ObjectName="*Login Data" OR ObjectName="*Web Data" OR ObjectName="*History"\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="INFOSTEALER - T1555.003 - Unauthorized Browser Credential Access",\
    mitre_category="Credential Access",\
    mitre_technique="Credentials from Password Stores",\
    mitre_technique_id="T1555",\
    mitre_subtechnique="Web Browsers",\
    mitre_subtechnique_id="T1555.003",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1555/003/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-20",\
    last_modify_date="2025-03-20",\
    mitre_version="v16",\
    priority="High",\
    custom_category="infostealer"\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name ObjectName ProcessName ProcessId Accesses mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category\
| collect `jarvis_index`

[[T1012] Detect Registry Modification for Browser Decryption Key]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `windows` EventCode=4657\
| search ObjectName="*os_crypt*"\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="INFOSTEALER - T1012 - Suspicious Registry Query (Master Key Extraction)",\
    mitre_category="Discovery",\
    mitre_technique="Query Registry",\
    mitre_technique_id="T1012",\
    mitre_subtechnique="",\
    mitre_subtechnique_id="",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1012/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-20",\
    last_modify_date="2025-03-20",\
    mitre_version="v16",\
    priority="Medium",\
    custom_category="infostealer"\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name ObjectName ProcessName ProcessId mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category\
| collect `jarvis_index`

[[T1555] Browser Credential File Access]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`windows` EventCode=4688 NewProcessName="*python.exe" CommandLine="*results*") OR (`sysmon` EventCode=1 Image="*python.exe" CommandLine="*results*")\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="INFOSTEALER - T1059.006 - Suspicious Python Script Execution",\
    mitre_category="Execution",\
    mitre_technique="Command and Scripting Interpreter",\
    mitre_technique_id="T1059",\
    mitre_subtechnique="Python",\
    mitre_subtechnique_id="T1059.006",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1059/006/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-20",\
    last_modify_date="2025-03-20",\
    mitre_version="v16",\
    priority="High",\
    custom_category="infostealer"\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name NewProcessName Image ProcessId CommandLine ParentProcessName ParentProcessId mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category\
| collect `jarvis_index`

[[T1059] Python Script Execution (Suspicious Results File Usage)]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`windows` EventCode=4663 ObjectName="*Cookies" OR ObjectName="*Login Data" OR ObjectName="*Web Data" OR ObjectName="*History") OR (`sysmon` EventCode=10 TargetFilename="*Cookies" OR TargetFilename="*Login Data" OR TargetFilename="*Web Data" OR TargetFilename="*History")\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="INFOSTEALER - T1555.003 - Browser Credential File Access",\
    mitre_category="Credential Access",\
    mitre_technique="Credentials from Password Stores",\
    mitre_technique_id="T1555",\
    mitre_subtechnique="Web Browsers",\
    mitre_subtechnique_id="T1555.003",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1555/003/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-20",\
    last_modify_date="2025-03-20",\
    mitre_version="v16",\
    priority="High",\
    custom_category="infostealer"\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name ObjectName TargetFilename ProcessName Image ProcessId Accesses mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category\
| collect `jarvis_index`

[[T1012] Registry Key Access (Browser Master Key)]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`windows` EventCode=4657 ObjectName="*os_crypt*") OR (`sysmon` EventCode=13 TargetObject="*os_crypt*")\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="INFOSTEALER - T1012 - Suspicious Registry Key Query",\
    mitre_category="Discovery",\
    mitre_technique="Query Registry",\
    mitre_technique_id="T1012",\
    mitre_subtechnique="",\
    mitre_subtechnique_id="",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1012/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-20",\
    last_modify_date="2025-03-20",\
    mitre_version="v16",\
    priority="Medium",\
    custom_category="infostealer"\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name ObjectName TargetObject ProcessName Image ProcessId mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category\
| collect `jarvis_index`

[[T1041] Exfiltration over Network (HTTP/HTTPS burst)]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`windows` EventCode=5156 DestinationPort=80 OR DestinationPort=443) OR (`sysmon` EventCode=3 DestinationPort=80 OR DestinationPort=443)\
| stats count by DestinationIp ApplicationName Image\
| where count > 5\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="INFOSTEALER - T1041 - High-Volume C2 Exfiltration",\
    mitre_category="Exfiltration",\
    mitre_technique="Exfiltration Over C2 Channel",\
    mitre_technique_id="T1041",\
    mitre_subtechnique="",\
    mitre_subtechnique_id="",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1041/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-20",\
    last_modify_date="2025-03-20",\
    mitre_version="v16",\
    priority="High",\
    custom_category="infostealer"\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name ApplicationName Image DestinationIp DestinationPort mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category\
| collect `jarvis_index`

[[T1110.001] Reading Credentials]
action.email.useNSSubject = 1
action.lookup = 1
action.lookup.append = 1
action.lookup.filename = jarvis_findings.csv
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 5-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`windows-security` EventCode=5379)\
| bin _time span=1m\
| stats count by _time, host, user\
| where count > 30\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="INFOSTEALER - T1110.001 - Excessive Credential Validation (DPAPI Access)",\
    mitre_category="Credential Access",\
    mitre_technique="Brute Force",\
    mitre_technique_id="T1110",\
    mitre_subtechnique="Password Guessing",\
    mitre_subtechnique_id="T1110.001",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1110/001/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-24",\
    last_modify_date="2025-03-24",\
    mitre_version="v16",\
    priority="Critical",\
    custom_category="infostealer"\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime hash_sha256 host user mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category\
| collect `jarvis_index`

[[T1059.006] INFOSTEALER - Python Launcher Execution]
action.email.useNSSubject = 1
action.lookup = 1
action.lookup.append = 1
action.lookup.filename = jarvis_findings.csv
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 5-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`sysmon` Image="*\\Python\\Launcher\\py.exe")\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="INFOSTEALER - T1059.006 - Python Launcher Execution",\
    mitre_category="Execution",\
    mitre_technique="Command and Scripting Interpreter",\
    mitre_technique_id="T1059",\
    mitre_subtechnique="Python",\
    mitre_subtechnique_id="T1059.006",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1059/006/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-24",\
    last_modify_date="2025-03-24",\
    mitre_version="v16",\
    priority="Medium",\
    custom_category="infostealer"\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime hash_sha256 host user Image CommandLine ParentImage ParentCommandLine mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category\
| collect `jarvis_index`

[[T1021.001] INFOSTEALER - T1021.001 - Suspicious RDP (Port 3389) Network Connection]
action.email.useNSSubject = 1
action.lookup = 1
action.lookup.append = 1
action.lookup.filename = jarvis_findings.csv
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 5-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`sysmon` Message="*Network connection detected*" AND "*3389*")\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="INFOSTEALER - T1021.001 - Suspicious RDP (Port 3389) Network Connection",\
    mitre_category="Lateral Movement",\
    mitre_technique="Remote Services",\
    mitre_technique_id="T1021",\
    mitre_subtechnique="Remote Desktop Protocol",\
    mitre_subtechnique_id="T1021.001",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1021/001/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-24",\
    last_modify_date="2025-03-24",\
    mitre_version="v16",\
    priority="High",\
    custom_category="infostealer"\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime hash_sha256 host user SourceIp DestinationIp DestinationPort Image CommandLine mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category\
| collect `jarvis_index`

[[T1110.001] INFOSTEALER - Multiple Failed Logons Followed by Success]
action.email.useNSSubject = 1
action.lookup = 1
action.lookup.append = 1
action.lookup.filename = jarvis_findings.csv
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 5-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`windows-security` (EventCode=4625 OR EventCode=4624))\
| eval status=case(EventCode=4625, "fail", EventCode=4624, "success")\
| stats count(eval(status="fail")) as fail_count,\
        values(eval(if(status="success", _time, null()))) as success_time\
    by user host\
| where fail_count > 5 AND isnotnull(success_time)\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="INFOSTEALER - T1110.001 - Multiple Failed Logons Followed by Success",\
    mitre_category="Credential Access",\
    mitre_technique="Brute Force",\
    mitre_technique_id="T1110",\
    mitre_subtechnique="Password Guessing",\
    mitre_subtechnique_id="T1110.001",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1110/001/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-24",\
    last_modify_date="2025-03-24",\
    mitre_version="v16",\
    priority="Critical",\
    custom_category="infostealer"\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime hash_sha256 user host fail_count success_time mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category\
| collect `jarvis_index`

[[T1204.002] INFOSTEALER - Zone.Identifier ADS Write Detected]
action.email.useNSSubject = 1
action.lookup = 1
action.lookup.append = 1
action.lookup.filename = jarvis_findings.csv
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 5-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`sysmon` EventCode=15 AND TargetFilename="*Zone.Identifier*")\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="INFOSTEALER - T1204.002 - Zone.Identifier ADS Write Detected",\
    mitre_category="Execution",\
    mitre_technique="User Execution",\
    mitre_technique_id="T1204",\
    mitre_subtechnique="Malicious File",\
    mitre_subtechnique_id="T1204.002",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1204/002/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-24",\
    last_modify_date="2025-03-24",\
    mitre_version="v16",\
    priority="Critical",\
    custom_category="infostealer"\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime hash_sha256 host user Image TargetFilename ProcessId mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category\
| collect `jarvis_index`

[[T1059.006] INFOSTEALER - Python Script Output to Desktop]
action.email.useNSSubject = 1
action.lookup = 1
action.lookup.append = 1
action.lookup.filename = jarvis_findings.csv
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 5-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`sysmon` EventCode=11 TargetFilename="*.txt" AND Image="*\\python.exe")\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="INFOSTEALER - T1059.006/T1005 - Python Script Output to Desktop File (results)",\
    mitre_category="Execution / Collection",\
    mitre_technique="Command and Scripting Interpreter",\
    mitre_technique_id="T1059",\
    mitre_subtechnique="Python",\
    mitre_subtechnique_id="T1059.006",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1059/006/",\
    mitre_link_2="https://attack.mitre.org/techniques/T1005/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-24",\
    last_modify_date="2025-03-24",\
    mitre_version="v16",\
    priority="High",\
    custom_category="infostealer"\
| eval indextime = _indextime\
| convert ctime(_time) ctime(indextime)\
| table _time indextime hash_sha256 host user Image CommandLine TargetFilename ProcessId mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link mitre_link_2 last_tested creator upload_date last_modify_date mitre_version priority custom_category\
| collect `jarvis_index`

[[T1071.001] INFOSTEALER - Python HTTP Server Launched]
action.email.useNSSubject = 1
action.lookup = 1
action.lookup.append = 1
action.lookup.filename = jarvis_findings.csv
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 5-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`sysmon` EventCode=1 CommandLine="*http.server*")\
| stats count by _time host user Image CommandLine CurrentDirectory ProcessId\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="INFOSTEALER - T1071.001 - Python HTTP Server Launched",\
    mitre_category="Command and Control",\
    mitre_technique="Application Layer Protocol",\
    mitre_technique_id="T1071",\
    mitre_subtechnique="Web Protocols",\
    mitre_subtechnique_id="T1071.001",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1071/001/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-24",\
    last_modify_date="2025-03-24",\
    mitre_version="v16",\
    priority="High",\
    custom_category="infostealer"\
| eval indextime = _indextime\
| convert ctime(_time) ctime(indextime)\
| table _time indextime hash_sha256 host user Image CommandLine CurrentDirectory ProcessId mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category\
| collect `jarvis_index`

[[T1036.003] Detection: File Renamed or Created as .py (Suspicious Python Script Drop)]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`windows` EventCode=4663 ObjectName="*.py") OR (`sysmon` EventCode=11 TargetFilename="*.py")\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="INFOSTEALER - T1036.003 - File Renamed or Created as Python Script",\
    mitre_category="Defense Evasion",\
    mitre_technique="Masquerading",\
    mitre_technique_id="T1036",\
    mitre_subtechnique="Rename System Utilities",\
    mitre_subtechnique_id="T1036.003",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1036/003/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-20",\
    last_modify_date="2025-03-20",\
    mitre_version="v16",\
    priority="Medium",\
    custom_category="infostealer"\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime hash_sha256 host_fqdn user_name ObjectName TargetFilename ProcessName Image ProcessId mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category\
| collect `jarvis_index`

[[T1003] OS Credential Dumping - Process Creation]
search = `indextime` `windows-security` EventCode=4688 Image="procdump.exe" ( CommandLine IN (" -ma lsass")) ```OR \
((index=security sourcetype="linux_secure" (key="cmdline" value IN ("procdump -ma /proc/$(pgrep lsass)")) (key="exe" value="procdump")) OR\
(index=security sourcetype="macOS:UnifiedLog" process="procdump" command=" -ma /proc/$(pgrep lsass)"```\
| eval hunting_trigger="Unexpected process creation related to credential dumping",\
mitre_category="Credential_Access",\
mitre_technique="Credential Dumping",\
mitre_technique_id="T1003" \
| `image_load_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description host_fqdn process_path driver_loaded driver_is_signed driver_signature driver_signature_status process_id process_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 5-59/15 * * * *
description = Analytic 1 - Unexpected process creation related to credential dumping.\
https://attack.mitre.org/techniques/T1003/
dispatch.earliest_time = 1
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto

[[T1012] Query Registry_Analytic_2]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1012
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") | search (CommandLine LIKE "%reg%" AND CommandLine LIKE "%query%") OR (CommandLine LIKE "%Registry%" AND (CommandLine LIKE "%HKEY_CLASSES_ROOT%" OR CommandLine "%HKCR%"))\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="",\
mitre_category="Discovery",\
mitre_technique="Query Registry",\
mitre_technique_id="T1012",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=mvappend("APT32","APT39","APT41","Chimera","Daggerfly","Dragonfly","Fox Kitten","Indrik Spider","Kimsuky","Lazarus Group","OilRig","Stealth Falcon","Threat Group-3390","Turla","Volt Typhoon","ZIRCONIUM"),\
mitre_link="https://attack.mitre.org/techniques/T1012/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1140] Suspicious File Access and Modifications]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` EventID=11 TargetFilename IN ("*\\Chrome\\User Data\\Default\\Cookies", "*\\Edge\\User Data\\Default\\Cookies", "*\\Chrome\\User Data\\Default\\History", "*\\Edge\\User Data\\Default\\History")\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="Python decryption routine detected",\
    mitre_category="Defense_Evasion",\
    mitre_technique="Deobfuscate/Decode Files or Information",\
    mitre_technique_id="T1140",\
    mitre_subtechnique="", \
    mitre_subtechnique_id="",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1140/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-10",\
    last_modify_date="2025-03-10",\
    mitre_version="v16.1",\
    priority="High"\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1027] Encoded Powershell command]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `powershell` (process_name="powershell.exe" OR command_line="*powershell.exe*") AND (command_line="*-enc *" OR command_line="*-EncodedCommand *")\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="INFOSTEALER - Encoded PowerShell command detected",\
    mitre_category="Defense_Evasion",\
    mitre_technique="Obfuscated Files or Information",\
    mitre_technique_id="T1027",\
    mitre_subtechnique="",\
    mitre_subtechnique_id="",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1027/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-10",\
    last_modify_date="2025-03-10",\
    mitre_version="v16",\
    priority="High"\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1041] High-Volume HTTP/S Exfiltration Attempt via Suspicious Process]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`sysmon` EventCode=3) (DestinationPort=80 OR DestinationPort=443)\
| stats count by DestinationIp Image\
| where count > 5\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="INFOSTEALER - Analytic 1 - Suspicious Data Exfiltration",\
    mitre_category="Exfiltration",\
    mitre_technique="Exfiltration Over C2 Channel",\
    mitre_technique_id="T1041",\
    mitre_subtechnique="",\
    mitre_subtechnique_id="",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1041/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-20",\
    last_modify_date="2025-03-20",\
    mitre_version="v16",\
    priority="High",\
    custom_category="infostealer",\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category\
| collect `jarvis_index`

[[T1140] Suspicious Process Execution]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` EventID=1 Image="*python.exe" CommandLine="*decrypt_value*"\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="Python decryption routine detected",\
    mitre_category="Defense_Evasion",\
    mitre_technique="Deobfuscate/Decode Files or Information",\
    mitre_technique_id="T1140",\
    mitre_subtechnique="", \
    mitre_subtechnique_id="",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1140/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-10",\
    last_modify_date="2025-03-10",\
    mitre_version="v16.1",\
    priority="High"\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1543.003] Windows Service - (sysmon)]
search = `indextime` `sysmon` RuleName="technique_id=T1543.003,technique_name=Windows Service"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="sysmon - Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence.",\
mitre_category=mvappend("Persistence","Privelege_Escalation"),\
mitre_technique="Create or Modify System Process",\
mitre_technique_id="T1543",\
mitre_subtechnique="Windows Service",\
mitre_subtechnique_id="T1543.003",\
apt="Lazarus Group"\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence.https://attack.mitre.org/techniques/T1543/003/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto

[[T1078.003] Local Accounts - Remote Desktop Logon]
search = `indextime` (`windows-security` EventCode="4624") AuthenticationPackageName= "Negotiate" AND Severity= "Information" AND logon_type= "10"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may obtain and abuse credentials of a local account as a means of gaining Access.",\
mitre_category=mvappend("Defense_Evasion","Persistence","Privilege_Escalation","Initial_Access"),\
mitre_technique="Valid Accounts",\
mitre_technique_id="T1078",\
mitre_subtechnique="Local Accounts",\
mitre_subtechnique_id="T1078.003",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1078/003/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2025-01-14",\
last_modify_date="2025-01-14",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/TT1078/003
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto

[[T1204.001] Malicious Link - Suspicious network traffic content]
search = `indextime` (`zeek_index` OR `syslog`) (http_method="GET" OR http_method="POST")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Analytic 1 - Suspicious network traffic content",\
mitre_category="Execution",\
mitre_technique="User Execution",\
mitre_technique_id="T1204",\
mitre_subtechnique="Malicious Link", \
mitre_subtechnique_id="T1204.001",\
cve="CVE-2020-11023",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1204/001",\
creator="Cpl Iverson",\
upload_date="2024-12-11",\
last_modify_date="2024-12-11",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1204/001/\
Analytic 1 - Suspicious network traffic content
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto

[[T1539] Steal Web Session Cookie]
search = `indextime` (`windows-security` EventCode=4663 ObjectName="\AppData\Roaming\Cookies" OR ObjectName="\AppData\Local\\Cookies\") OR(`sysmon` EventCode=11 TargetObject="\AppData\Roaming\Cookies\" OR TargetObject="\AppData\Local\Cookies") OR(index=os sourcetype="linux_audit" (filepath="/home//.mozilla/firefox/.default-release/cookies.sqlite" OR filepath="/home//.config/google-chrome/Default/Cookies"))\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="MITRE - Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features.",\
mitre_category="Credential_Access",\
mitre_technique="Steal Web Session Cookie",\
mitre_technique_id="T1539",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
cve="CVE-2013-3900",\
apt=mvappend("Evilnum","LuminousMoth","Sandworm Team","Scattered Spider","Star Blizzard"),\
mitre_link="https://attack.mitre.org/techniques/T1539",\
creator="Cpl Iverson",\
upload_date="2024-12-11",\
last_modify_date="2024-12-11",\
mitre_version="v16",\
priority="medium"\
| `process_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt cve mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 11-59/15 * * * *
description = https://attack.mitre.org/techniques/T1539/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto

[[T1539] Steal Web Session Cookie - Unauthorized access]
search = `indextime` (`windows-security` EventCode=4688 OR EventCode=4663) OR(`sysmon` EventCode=1 OR EventCode=10) OR(index=os sourcetype="linux_secure" action="execve" OR action="ptrace") OR(index=os sourcetype="macos_secure" event_type="execve" OR event_type="ptrace") OR(index=gsuite sourcetype="gsuite:admin" event_name="LOGIN" event_type="cookie_auth") OR(index=o365 sourcetype="o365:management:activity" Operation="UserLoginViaCookie")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="MITRE - Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features.",\
mitre_category="Credential_Access",\
mitre_technique="Steal Web Session Cookie",\
mitre_technique_id="T1539",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
cve="CVE-2013-3900",\
apt=mvappend("Evilnum","LuminousMoth","Sandworm Team","Scattered Spider","Star Blizzard"),\
mitre_link="https://attack.mitre.org/techniques/T1539/",\
creator="Cpl Iverson",\
upload_date="2024-12-11",\
last_modify_date="2024-12-11",\
mitre_version="v16",\
priority="medium"\
| `process_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt cve mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 11-59/15 * * * *
description = https://attack.mitre.org/techniques/T1539/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto

[[T1059.006] INFOSTEALER - .txt File Renamed to .py and Executed]
action.email.useNSSubject = 1
action.lookup = 1
action.lookup.append = 1
action.lookup.filename = jarvis_findings.csv
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 5-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`sysmon` EventCode=11 (TargetFilename="*.txt" OR TargetFilename="*.py"))\
| eval file_ext=lower(replace(TargetFilename, "^.*\.", ""))\
| eval base_name=lower(replace(TargetFilename, "\.(txt|py)$", ""))\
| stats min(_time) as first_seen max(_time) as last_seen values(TargetFilename) as files_created by base_name host user\
| where mvcount(files_created) > 1 AND like(file_ext, "%txt%") AND like(file_ext, "%py%")\
| join type=inner base_name [\
    search `sysmon` EventCode=1 Image="*\\py.exe" CommandLine="*.py"\
    | eval base_name=lower(replace(CommandLine, "^.*\\([^\\]+)\.py.*$", "\1"))\
    | rename _time as exec_time, CommandLine as executed_cmd\
]\
| where exec_time - last_seen <= 300\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="INFOSTEALER - T1059.006 - .txt File Renamed to .py and Executed",\
    mitre_category="Execution",\
    mitre_technique="Command and Scripting Interpreter",\
    mitre_technique_id="T1059",\
    mitre_subtechnique="Python",\
    mitre_subtechnique_id="T1059.006",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1059/006/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-24",\
    last_modify_date="2025-03-24",\
    mitre_version="v16",\
    priority="High",\
    custom_category="infostealer"\
| eval indextime = _indextime\
| convert ctime(first_seen) ctime(last_seen) ctime(exec_time) ctime(indextime)\
| table first_seen last_seen exec_time indextime hash_sha256 host user files_created executed_cmd mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category\
| collect `jarvis_index`

[[T1218.011] Rundll32 - (sysmon)]
search = `indextime` `sysmon` RuleName="technique_id=T1218.011,technique_name=rundll32.exe"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="sysmon - Adversaries may abuse rundll32.exe to proxy execution of malicious code.",\
mitre_category="Defense_Evasion",\
mitre_technique="System Binary Proxy Execution",\
mitre_technique_id="T1218",\
mitre_subtechnique="Rundll32",\
mitre_subtechnique_id="T1218.011",\
apt=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = Adversaries may abuse rundll32.exe to proxy execution of malicious code.\
https://attack.mitre.org/techniques/T1218/011/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto

[[T1134.001] Access Token Manipulation - Token Impersonation/Theft]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
description = https://attack.mitre.org/techniques/T1134/
dispatch.earliest_time = 1
dispatch.latest_time = now
search = ```wip```\
`indextime` `sysmon` event_id= 4672\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Access Token Manipulation: Token Impersonation/Theft",\
mitre_category=mvappend("Privilege_Escalation","Defense_Evasion"),\
mitre_technique="Access Token Manipulation",\
mitre_technique_id="T1134",\
mitre_subtechnique="Token Impersonation/Theft", \
mitre_subtechnique_id="T1134.001",\
apt="APT28",\
mitre_link="https://attack.mitre.org/techniques/T1134/001/",\
creator="Cpl Taylor",\
upload_date="2025-04-01",\
last_modify_date="2025-04-01",\
mitre_version="v16",\
priority=""\
| `image_load_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description host_fqdn process_path driver_loaded driver_is_signed driver_signature driver_signature_status process_id process_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1136.001][T1098] Cisco Local Accounts]
search = `indextime` `syslog` AND ("username" OR "aaa")\
``` name: Cisco Local Accounts ```\
``` uuid: 6d844f0f-1c18-41af-8f19-33e7654edfc3 ```\
``` author: Austin Clark ```\
``` licence: DRL 1.1 ```\
| eval mitre_category="Persistence",\
mitre_technique="Account Manipulation",\
mitre_technique_id="T1098",\
mitre_technique="Create Account",\
mitre_technique_id="T1136",\
mitre_subtechnique="Local Account",\
mitre_subtechnique_id="T1136.001" \
| `registry_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description event_type host_fqdn process_path  process_id process_guid registry_key_path registry_key_details  mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 11-59/15 * * * *
description = Find local accounts being created or modified as well as remote authentication configurations\
https://github.com/SigmaHQ/sigma/blob/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto

[[T1012] High Volume Registry Access (TargetObject Enumeration)]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` EventCode=13\
| stats count by _time, TargetObject\
| where count > 5\
| eval hash_sha256=lower(hash_sha256),\
    hunting_trigger="INFOSTEALER - T1012 - High Volume Registry Enumeration",\
    mitre_category="Discovery",\
    mitre_technique="Query Registry",\
    mitre_technique_id="T1012",\
    mitre_subtechnique="",\
    mitre_subtechnique_id="",\
    apt="",\
    mitre_link="https://attack.mitre.org/techniques/T1012/",\
    creator="Cpl Iverson",\
    last_tested="",\
    upload_date="2025-03-20",\
    last_modify_date="2025-03-20",\
    mitre_version="v16",\
    priority="Medium",\
    custom_category="infostealer"\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name TargetObject count mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category\
| collect `jarvis_index`

[test_suricata]
disabled = 1
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 15 * * * *
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
enableSched = 1
search = index=suricata | table _time dest_ip dest_port src_ip src_port proto timestamp alert.severity alert.category alert.signature alert.rule | `suricata_whitelist` |collect `test_suricata`

[test_suricata index generator]
disabled = 1
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = Important dont touch this
dispatch.earliest_time = -15m@m
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
search = index=suricata | table _time dest_ip dest_port src_ip src_port proto timestamp alert.signature alert.severity alert.category alert.rule | `suricata_whitelist` | collect `test_suricata`

[[T1012] Query Registry - Network]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` `sysmon` event_id=3 (process_name="reg.exe" AND process_command_line="*reg* query*") \
| eval mitre_category="Discovery"\
| eval mitre_technique="Query Registry"\
| eval mitre_technique_id="T1012" \
| `network_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn user_name process_path process_id process_parent_id process_command_line process_guid src_ip dst_ip dst_port src_host_name dst_host_name mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1012] Query Registry - Process]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 13-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="reg.exe" AND process_command_line="*reg* query*") \
| eval mitre_category="Discovery"\
| eval mitre_technique="Query Registry"\
| eval mitre_technique_id="T1012" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1018] Remote System Discovery - Network]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 6-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` `sysmon` event_id=3 (process_name="net.exe" OR process_name="ping.exe")\
| eval mitre_category="Discovery" \
| eval mitre_technique="Remote System Discovery" \
| eval mitre_technique_id="T1018" \
| `network_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn user_name process_path process_id process_parent_id process_command_line process_guid src_ip dst_ip dst_port src_host_name dst_host_name mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1027] Obfuscated Files or Information]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 11-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="certutil.exe" AND process_command_line="*encode*") OR process_command_line="*ToBase64String*"\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="Obfuscated Files or Information"\
| eval mitre_technique_id="T1027" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1033] System Owner/User Discovery]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 3-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="whoami.exe" OR process_command_line="*whoami*" OR process_command_line="wmic* useraccount get /ALL" OR process_name="qwinsta.exe" OR process_name="quser.exe")\
| eval mitre_category="Discovery"\
| eval mitre_technique="System Owner/User Discovery"\
| eval mitre_technique_id="T1033" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1033] System Owner/User Discovery - Network]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 7-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` `sysmon` event_id=3 (dest_port=389 OR dest_port=636 OR dest_port=445 OR dest_port=8080) \
| transaction process_guid maxspan=600s \
| eval target_hosts=mvcount(dest_ip) \
| where target_hosts>5 \
| eval mitre_category="Discovery"\
| eval mitre_technique="System Owner/User Discovery"\
| eval hunting_trigger="connections to multiple systems, possibly blood/sharphound"\
| eval mitre_technique_id="T1069" \
| `network_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn user_name process_path process_id process_parent_id process_command_line process_guid src_ip dst_ip dst_port src_host_name dst_host_name mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1036] Masquerading - Extension]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 9-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="*.doc.*" OR process_name="*.docx.*" OR process_name="*.xls.*" OR process_name="*.xlsx.*" OR process_name="*.pdf.*" OR process_name="*.rtf.*" OR process_name="*.jpg.*" OR process_name="*.png.*" OR process_name="*.jpeg.*"  OR process_name="*.zip.*" OR process_name="*.rar.*"  OR process_name="*.ppt.*" OR process_name="*.pptx.*")\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="Masquerading"\
| eval hunting_trigger="Malware masquarading as a document"\
| eval mitre_technique_id="T1036" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1036] Masquerading - Location]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 11-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` `sysmon` event_id=11 (file_path="*SysWOW64*" OR file_path="*System32*" OR file_path="*AppData*") AND (file_name="*.exe" OR file_name="*.dll" OR file_name="*.bat" OR file_name="*.com" OR file_name="*.ps1" OR file_name="*.py" OR file_name="*.js" OR file_name="*.vbs" OR file_name="*.hta") \
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="Masquerading"\
| eval hunting_trigger="Executable file write in trusted location"\
| eval mitre_technique_id="T1036" \
| `file_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path process_guid process_id file_name file_path mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1036] Masquerading - explorer]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 7-59/15 * * * *
description = parent > child mismatch \
thanks to endgame
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="explorer.exe" AND process_parent_name!="userinit.exe") \
| eval hunting_trigger="parent child mismatch"\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="Masquerading"\
| eval mitre_technique_id="T1036" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1040] Network Sniffing]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 6-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="tshark.exe" OR process_name="windump.exe" OR process_name="logman.exe" OR process_name="tcpdump.exe" OR process_name="wprui.exe" OR process_name="wpr.exe")\
| eval mitre_category="Credential_Access,Discovery"\
| eval mitre_technique="Network Sniffing"\
| eval mitre_technique_id="T1040" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1040] Network Sniffing - Packet Capture Tools]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 11-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="pktmon.exe" OR process_name="tcpdump.exe") OR (original_file_name="pktmon.exe" OR original_file_name="tcpdump.exe") OR (process_name="netsh.exe" AND process_command_line="*trace start capture=yes*")\
| eval hunting_trigger="packet capture tool"\
| eval mitre_category="Discovery,Credential_Access"\
| eval mitre_technique="Masquerading"\
| eval mitre_technique_id="T1040" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process]
action.webhook.enable_allowlist = 0
enableSched = 1
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 14-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) process_parent_path="C:\\Windows\\System32\\svchost.exe" AND process_path="C:\\WINDOWS\\system32\\wbem\\scrcons.exe"\
| eval mitre_category="Execution" \
| eval mitre_technique="Windows Management Instrumentation" \
| eval mitre_technique_id="T1047" \
| eval hunting_trigger="Instances of an Active Script Event Consumer" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1049] System Network Connections Discovery]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 4-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="net.exe" OR process_name="netstat.exe") AND (process_command_line="*net* use*" OR process_command_line="*net* sessions*" OR process_command_line="*net* file*" OR process_command_line="*netstat*") OR process_command_line="*Get-NetTCPConnection*"\
| eval mitre_category="Discovery"\
| eval mitre_technique="System Network Connections Discovery"\
| eval mitre_technique_id="T1049" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1055] Process Injection]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 9-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` `sysmon` event_id=8 (StartFunction="*LoadLibrary*") \
| eval mitre_category="Privilege_Escalation,Defense_Evasion"\
| eval mitre_technique="Process Injection"\
| eval mitre_technique_id = "T1055"\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_name target_process_path target_process_address thread_new_id process_guid process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1055] Process Injection - CobaltStrike]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 10-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` `sysmon` event_id=8 target_process_address=0x*0B80\
| eval hunting_trigger="CobaltStrike injection"\
| eval mitre_category="Privilege_Escalation,Defense_Evasion"\
| eval mitre_technique="Process Injection"\
| eval mitre_technique_id = "T1055"\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_name target_process_path target_process_address thread_new_id process_guid process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1055] Process Injection - Process]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 11-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) process_command_line="*Invoke-DllInjection*" OR process_command_line="*c:\\windows\sysnative\\*" \
| eval mitre_category="Privilege_Escalation,Defense_Evasion"\
| eval mitre_technique="Process Injection"\
| eval mitre_technique_id="T1055" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1057] Process Discovery]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 3-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) process_name="tasklist.exe" OR process_command_line="*Get-Process*"\
| eval mitre_category="Execution"\
| eval mitre_technique="Process Discovery"\
| eval mitre_technique_id="T1057" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1069] Permission Groups Discovery - Process]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 8-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) process_name="net.exe" AND (process_command_line="*net* user*" OR process_command_line="*net* group*" OR process_command_line="*net* localgroup*" OR process_command_line="*get-localgroup*" OR process_command_line="*get-ADPrinicipalGroupMembership*")\
| eval mitre_category="Discovery"\
| eval mitre_technique="Permission Groups Discovery"\
| eval mitre_technique_id="T1069" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1074] Data Staged - Process]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = Sysmon
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_command_line="*DownloadString*" AND process_command_line="*Net.WebClient*" process_command_line="*New-Object*" AND process_command_line="*IEX*") \
| eval mitre_category="Collection"\
| eval mitre_technique="Data Staged"\
| eval mitre_technique_id="T1074" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1082] System Information Discovery]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="sysinfo.exe") OR (process_name="reg.exe" AND process_command_line="reg*query HKLM\\SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum")\
| eval mitre_category="Discovery"\
| eval mitre_technique="System Information Discovery"\
| eval mitre_technique_id="T1082" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1115] Clipboard Data]
action.webhook.enable_allowlist = 0
cron_schedule = */8 * * * *
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="clip.exe" OR process_command_line="*Get-Clipboard*")\
| eval mitre_category="Collection"\
| eval mitre_technique="Clipboard Data"\
| eval mitre_technique_id="T1115" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1123] Audio Capture]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 1-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="SoundRecorder.exe" OR process_command_line="*Get-AudioDevice*" OR process_command_line="*WindowsAudioDevice-Powershell-Cmdlet*")\
| eval mitre_category="Collection"\
| eval mitre_technique="Audio Capture"\
| eval mitre_technique_id="T1123" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1124] System Time Discovery]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 2-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_path="*\\net.exe" AND process_command_line="*net* time*") OR process_name="w32tm.exe" OR process_command_line="*Get-Date*"\
| eval mitre_category="Discovery"\
| eval mitre_technique="System Time Discovery"\
| eval mitre_technique_id="T1124" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1127] Trusted Developer Utilities - net2]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 1-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
search = `indextime` `sysmon` event_id=11 target_file_name="*\\AppData\\Local\\Microsoft\\CLR_v2.0*\\UsageLogs\\*"\
| eval hunting_trigger=".Net 2.0 compatible execution, probably bad"\
| eval mitre_category="Defense_Evasion,Execution"\
| eval mitre_technique="Trusted Developer Utilities"\
| eval mitre_technique_id="T1127" \
| `file_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path file_path process_guid process_id mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1135] Network Share Discovery - Network]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 4-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` `sysmon` event_id=3 process_name="net.exe" AND (process_command_line="*net* view*" OR process_command_line="*net* share*")\
| eval mitre_category="Discovery" \
| eval mitre_technique="Network Share Discovery" \
| eval mitre_technique_id="T1135" \
| `network_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn user_name process_path process_id process_parent_id process_command_line process_guid src_ip dst_ip dst_port src_host_name dst_host_name mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1135] Network Share Discovery - Process]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 7-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="net.exe" AND (process_command_line="*net* view*" OR process_command_line="*net* share*")) OR process_command_line="*get-smbshare -Name*"\
| eval mitre_category="Discovery"\
| eval mitre_technique="Network Share Discovery"\
| eval mitre_technique_id="T1135" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1136] Create Account]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 8-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_command_line="*New-LocalUser*" OR process_command_line="*net*user*add*")\
| eval mitre_category="Persistence"\
| eval mitre_technique="Create Account"\
| eval mitre_technique_id="T1136" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1140] Deobfuscate/Decode Files or Information]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 10-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="certutil.exe" AND process_command_line="*decode*")\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="Deobfuscate/Decode Files or Information"\
| eval mitre_technique_id="T1140" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1187] Forced Authentication]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 6-59/15 * * * *
description = Whitelisting required
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` search `sysmon` event_id=11 (file_path="*.lnk" OR file_path="*.scf")\
| eval mitre_category="Credential_Access"\
| eval mitre_technique="Forced Authentication"\
| eval mitre_technique_id="T1187" \
| `file_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path file_path process_guid process_id mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1197] BITS Jobs - Network]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 14-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` `sysmon` event_id=3 (process_name="bitsadmin.exe")\
| eval mitre_category="Persistence,Defense_Evasion"\
| eval mitre_technique="BITS Jobs"\
| eval mitre_technique_id="T1197" \
| `network_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn user_name process_path process_id process_parent_id process_command_line process_guid src_ip dst_ip dst_port src_host_name dst_host_name mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1197] BITS Jobs - Process]
action.webhook.enable_allowlist = 0
cron_schedule = */8 * * * *
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="bitsadmin.exe" OR process_command_line="*Start-BitsTransfer*") \
| eval mitre_category="Persistence,Defense_Evasion"\
| eval mitre_technique="BITS Jobs"\
| eval mitre_technique_id="T1197" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1201] Password Policy Discovery]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 1-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_command_line="*net* accounts*" OR process_command_line="*net* accounts \/domain*")\
| eval mitre_category="Discovery"\
| eval mitre_technique="Password Policy Discovery"\
| eval mitre_technique_id="T1201" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1202] Indirect Command Execution]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 1-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_parent_name="pcalua.exe" OR process_name="pcalua.exe" OR process_name="bash.exe" OR process_name="forfiles.exe")\
| eval mitre_category="Discovery"\
| eval mitre_technique="Indirect Command Execution"\
| eval mitre_technique_id="T1202" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1216] Signed Script Proxy Execution]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_command_line="*cscript*script\:http\[\:\]\/\/*" OR process_command_line="*wscript*script\:http\[\:\]\/\/*" OR process_command_line="*certutil*script\:http\[\:\]\/\/*" OR process_command_line="*jjs*-scripting*")\
| eval mitre_category="Defense_Evasion,Execution"\
| eval mitre_technique="Signed Script Proxy Execution"\
| eval mitre_technique_id="T1216" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1218] Signed Binary Proxy Execution - Network]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 13-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` `sysmon` event_id=3 (process_name=certutil.exe OR process_command_line="*certutil*script\:http\[\:\]\/\/*" OR process_path="*\\replace.exe")\
| eval mitre_category="Defense_Evasion,Execution"\
| eval mitre_technique="Signed Binary Proxy Execution"\
| eval mitre_technique_id="T1218" \
| `network_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn user_name process_path process_id process_parent_id process_command_line process_guid src_ip dst_ip dst_port src_host_name dst_host_name mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1218] Signed Binary Proxy Execution - Process]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_command_line="*mavinject*\/injectrunning*" OR process_command_line="mavinject32*\/injectrunning*" OR process_command_line="*certutil*script\:http\[\:\]\/\/*" OR process_command_line="*certutil*script\:https\[\:\]\/\/*" OR process_command_line="*msiexec*http\[\:\]\/\/*" OR process_command_line="*msiexec*https\[\:\]\/\/*")\
| eval mitre_category="Defense_Evasion,Execution"\
| eval mitre_technique="Signed Binary Proxy Execution"\
| eval mitre_technique_id="T1218" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1037] Logon Scripts]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 5-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_command_line="*REG*ADD*HKCU\\Environment*UserInitMprLogonScript*")\
| eval mitre_category="Lateral_Movement,Persistence"\
| eval mitre_technique="Logon Scripts"\
| eval mitre_technique_id="T1037" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1127] Trusted Developer Utilities]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 4-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="MSBuild.exe" OR process_name="msxsl.exe") \
| eval mitre_category="Defense_Evasion,Execution"\
| eval mitre_technique="Trusted Developer Utilities"\
| eval mitre_technique_id="T1127" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1069] Permission Groups Discovery - Network]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 3-15/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` `sysmon` event_id=3 (process_name="net.exe" or process_name="net1.exe")\
| eval mitre_category="Discovery" \
| eval mitre_technique="Permission Groups Discovery" \
| eval mitre_technique_id="T1069" \
| `network_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description host_fqdn user_name process_path process_id process_parent_id process_command_line process_guid src_ip dst_ip dst_port src_host_name dst_host_name mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1112] Modify Registry]
action.webhook.enable_allowlist = 0
enableSched = 1
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 2-15/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="reg.exe" AND process_command_line!="*query*")\
| eval mitre_category="Defense_Evasion" \
| eval mitre_technique="Modify Registry" \
| eval mitre_technique_id="T1112" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1071] Standard Application Layer Protocol]
action.webhook.enable_allowlist = 0
enableSched = 1
search = `indextime` `sysmon` event_id=22 [| inputlookup doh.csv] \
| eval mitre_category="Command_and_Control"\
| eval mitre_technique="Standard Application Layer Protocol"\
| eval hunting_trigger="DNS over HTTPS used" \
| eval mitre_technique_id="T1071" \
| eval event_description="DNS Query"  | `dns_whitelist` | table _time indextime event_description host_fqdn process_path query_name query_status query_results process_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
disabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 10-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto

[[DCs] Hunt Tool]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 1 * * *
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = index=* host_fqdn=*DC*\
| dedup host_fqdn\
| addtotals host_fqdn\
| stats count as host_fqdn

[[Machines overtime] Hunt Tool]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 1 * * *
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = index=* user_name!=NT* user_name!=HealthMail*  user_name!=SYSTEM user_name!="-" \
| where isnotnull(user_name) \
| stats  count by host_fqdn user_name

[[Users] Hunt Tool]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 1 * * *
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = index=* NOT SYSTEM\
| dedup user_name\
| addtotals user_name\
| stats count as user_name

[[Whitelisting numbers] Jarvis Tools]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 1 * * *
description = shows 60 days of whitelisting numbers
enableSched = 1
schedule_window = auto
search = `jarvis_index` earliest=-60d@d latest=@d mitre_category="*" ```($exclude_technique$) AND $include_technique$ AND $include_host_fqdn$ AND ($exclude_host_fqdn$)```\
| timechart count(mitre_category) as "EVENT COUNT" | appendpipe [stats count | where count=0]

[[PotentialBadProcesses] Hunt Tool]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 1 * * *
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = index=* sourcetype=*\
| eval PotentialBadProcesses=\
case(\
like(_raw,"%explorer.exe%"),"explorer.exe",\
like(_raw,"%svchost.exe%"),"svchost.exe",\
like(_raw,"%lsass.exe%"),"lsass.exe",\
like(_raw,"%iexplore.exe%"),"iexplore.exe",\
like(_raw,"%win.exe%"),"win.exe",\
like(_raw,"%winlogon.exe%"),"winlogon.exe",\
like(_raw,"%NTDS.dit%"),"NTDS.dit"\
)\
| stats count by PotentialBadProcesses\
| sort -count\
| eval count=tostring('count',"commas")

[[Sysmon] Hunt Tool]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 1 * * *
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = index=windows `sysmon` | stats dc(Computer) as Sysmon

[[Unique Endpoints] Hunt Tool]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 2 * * *
description = shows unique hosts on network
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
schedule_priority = higher
schedule_window = auto
search = index=* | dedup src_ip, dest_ip | eval ip=coalesce(src_ip, dest_ip) | dedup ip | stats count

[[T1110] Brute Force - process create]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = Known suspicious IPs from virustotal from incident 20240827
dispatch.earliest_time = -15m
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` index=zeek* ```Known suspicious IPs from virustotal``` id.resp_h=194.169.175.37 OR id.orig_h=194.169.175.37 OR id.resp_h=194.169.175.38  OR id.orig_h=194.169.175.38 OR id.orig_h=193.201.9.156 OR id.resp_h=193.201.9.156 OR id.orig_h=85.209.11.227 OR id.resp_h=85.209.11.227 OR id.orig_h=85.209.11.254 OR id.resp_h=85.209.11.254 OR id.orig_h=183.81.169.238 OR id.resp_h=183.81.169.238 OR id.orig_h=119.29.193.235 OR id.resp_h=119.29.193.235 OR id.orig_h=151.177.48.239 OR id.resp_h=151.177.48.239 OR id.orig_h=83.222.191.62 OR id.resp_h=83.222.191.62 OR id.orig_h=165.231.182.113 OR id.resp_h=165.231.182.113 OR id.orig_h=164.90.183.255 OR id.resp_h=164.90.183.255\
| eval mitre_category="Credential_Access"\
| eval mitre_technique="Brute Force"\
| eval mitre_technique_id="T1110" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid parent_user_name mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[Splunk Users] Stats Tool]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = shows users that are currently logged onto splunk
dispatch.earliest_time = 1
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` index=_audit  NOT "user=n/a" NOT "user=splunk-system-user" NOT "scheduler__nobody__search" \
| rex field=user "user=(?<User>\S+)" \
| stats count by user\
| sort - count

[[BlackTech T-Codes per day] APT Tool]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 3 * * *
description = shows the t-codes during the day
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = visualizations
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = area
display.visualizations.charting.drilldown = none
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = index=* \
```T-Codes during the day```\
mitre_technique_id=T1190 OR mitre_technique_id=T1203 OR mitre_technique_id=T1574 OR mitre_technique_id=T1036 OR mitre_technique_id=T1106 OR mitre_technique_id=T1046 OR mitre_technique_id=T1588 OR mitre_technique_id=T1566 OR mitre_technique_id=T1021 OR mitre_technique_id=T1204\
| `process_create_whitelist`\
| `file_access_whitelist`\
| `dns_whitelist` \
| `file_create_whitelist` \
| `image_load_whitelist` \
| `network_whitelist` \
| `pipe_whitelist` \
| `process_access_whitelist` \
| `registry_whitelist` \
| `remote_thread_whitelist` \
| `suricata_whitelist` \
| `wmi_whitelist`\
```| stats count by mitre_technique_id```\
| timechart span=1h count

[WEC Without Sysmon]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 8 * * *
description = All hosts not running Sysmon
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
search = |inputlookup WecHosts.csv | lookup SysmonHosts.csv host_fqdn OUTPUT host_fqdn AS sysmon | where isnull(sysmon) | fields host_fqdn

[WecHosts]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 6 * * *
description = All WEC Hosts
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
search = index=windows host=N2MEFBL24WEC01 | dedup host_fqdn | stats count by host_fqdn | fields host_fqdn | outputlookup WecHosts.csv

[[Sysmon 60D] Stats Tools]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 3 * * *
description = sysmon for last 60 days
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = index=windows `sysmon` earliest=-60d@d latest=@d\
| timechart dc(Computer) as Sysmon

[[T1136] Create Account - Volt Typhoon]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 8-59/15 * * * *
description = (CUI) Volt Typhoon user creation on cisco devices
dispatch.earliest_time = 1
dispatch.latest_time = now
display.page.search.mode = fast
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
schedule_priority = highest
schedule_window = auto
search = `indextime` sourcetype=syslog cisco_admins OR cisco_tac_admin OR cisco_sys_manager OR cisco_suppport\
| eval mitre_category="Persistence"\
| eval mitre_technique="Create Account"\
| eval mitre_technique_id="T1136" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[ALL BlackTech TCodes] - APT Tool]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 2 * * *
description = shows all t codes for the day with BlackTech\
added 20240830
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = index=* mitre_technique_id IN (T1190,T1203,T1574,T1036,T1106,T1046,T1588,T1566,T1021,T1204)\
| stats count as mitre_technique_id

[[T1016] System Network Configuration Discovery]
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
description = https://attack.mitre.org/techniques/T1016/
disabled = 0
enableSched = 1
search = ```\
https://attack.mitre.org/techniques/T1016/\
Analytic 1 - Suspicious Process\
```\
`indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="net.exe" AND process_command_line="*net* config*") OR (process_name="ipconfig.exe" OR process_name="netsh.exe" OR process_name="arp.exe" OR process_name="nbtstat.exe") \
| eval mitre_category="Discovery" \
| eval mitre_technique="System Network Configuration Discovery" \
| eval mitre_technique_id="T1016" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 7-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search

[[T1003][T1059.001] OS Credential Dumping/PowerShell]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */8 * * * *
description = Mimikatz
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` EventCode=4104 ScriptBlockText IN (*mimikatz*, *-dumpcr*, *sekurlsa::pth*, *kerberos::ptt*, *kerberos::golden*) \
| stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText\
| eval mitre_category=mvappend("Credential_Access","Execution")\
| eval mitre_technique=mvappend("Credential Dumping","Command and Scripting Interpreter")\
| eval mitre_technique_id=mvappend("T1003","T1059")\
| eval mitre_subtechnique_id="T1059.001"\
| eval mitre_subtechnique="PowerShell"\
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1110] Brute Force - Syslog]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = syslog failed logins\
https://blog.frohrer.com/selecting-and-creating-detection-rules-with-syslog-and-splunk/
dispatch.earliest_time = -15m
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` sourcetype=syslog (authpriv.* /Failed login attempt/)\
| eval mitre_category="Credential_Access"\
| eval mitre_technique="Brute Force"\
| eval mitre_technique_id="T1110" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid parent_user_name mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1110] Brute Force - Syslog Unauthorized access attempts]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = Unauthorized access attempts\
https://blog.frohrer.com/selecting-and-creating-detection-rules-with-syslog-and-splunk/
dispatch.earliest_time = -15m
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` sourcetype=syslog (authpriv.* /Unauthorized access attempt/)\
| eval mitre_category="Credential_Access"\
| eval mitre_technique="Brute Force"\
| eval mitre_technique_id="T1110" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid parent_user_name mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1068] Privilege Escalation - Syslog]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = Privilege escalation\
https://blog.frohrer.com/selecting-and-creating-detection-rules-with-syslog-and-splunk/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` sourcetype=syslog (authpriv.* /Privilege escalation/)\
| eval mitre_category="Privilege_Escalation"\
| eval mitre_technique="Exploitation for Privilege Escalation"\
| eval mitre_technique_id="T1068"\
| `file_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path file_path process_guid process_id mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1204.002] User Execution: Malicious File - File Creation (A1)]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1204/002/\
Analytic 1 - Batch File Write to System32
disabled = 0
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` (`sysmon` EventCode="11") file_path="system32" AND file_extension=".bat"\
| eval mitre_category="Execution"\
| eval mitre_technique="User Execution"\
| eval mitre_technique_id="T1204" \
| eval mitre_subtechnique="Malicious File"\
| eval mitre_subtechnique_id="T1204.002" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1204.002] Malicious File - Syslog]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://blog.frohrer.com/selecting-and-creating-detection-rules-with-syslog-and-splunk/\
Malware
disabled = 0
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` sourcetype=syslog (kern.* /Malware detected/)\
| eval mitre_category="Execution"\
| eval mitre_technique="User Execution"\
| eval mitre_technique_id="T1204" \
| eval mitre_subtechnique="Malicious File"\
| eval mitre_subtechnique_id="T1204.002" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1553.004][T1552.004] Cisco Crypto Commands]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = Show when private keys are being exported from the device, or when new certificates are installed\
https://github.com/SigmaHQ/sigma/blob/master/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `syslog` AND ("crypto pki export" OR "crypto pki import" OR "crypto pki trustpoint")\
``` name: Cisco Crypto Commands ```\
``` uuid: 1f978c6a-4415-47fb-aca5-736a44d7ca3d ```\
``` author: Austin Clark ```\
``` licence: DRL 1.1 ```\
| eval hash_sha256= lower(hash_sha256)\
| eval hunting_trigger="Cisco Crypto Commands"\
| eval mitre_category=mvappend("Defense_Evasion","credential_access")\
| eval mitre_technique_id=mvappend(T1552,"T1553")\
| eval mitre_technique=mvappend("Subvert Trust Controls","Unsecured Credentials")\
| eval mitre_subtechnique_id=mvappend("T1553.004","T1552.004")\
| eval mitre_subtechnique=mvappend("Install Root Certificate","Private Keys")\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1562.001] Cisco Disabling Logging]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 11-59/15 * * * *
description = Turn off logging locally or remote\
https://github.com/SigmaHQ/sigma/blob/master/rules/network/cisco/aaa/cisco_cli_disable_logging.yml
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` `syslog` AND ("no logging" OR "no aaa new-model")\
``` name: Cisco Disabling Logging ```\
``` uuid: 9e8f6035-88bf-4a63-96b6-b17c0508257e ```\
``` author: Austin Clark ```\
``` licence: DRL 1.1 ```\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="Impair Defenses"\
| eval mitre_technique_id="T1562" \
| eval mitre_subtechnique="Disable or Modify Tools"\
| eval mitre_subtechnique_id="T1562.001" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1552.001] Credentials In Files - 	Command Execution]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 7-59/15 * * * *
description = Commands indicating credential searches in files.\
https://attack.mitre.org/techniques/T1552/001/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`windows-security` EventCode=4104 CommandLine="password" OR CommandLine="credential") OR (`sysmon` EventCode=1 CommandLine="password" OR CommandLine="credential") OR(index=os sourcetype="linux_audit" action="execve" CommandLine="password" OR CommandLine="credential" OR CommandLine="passwd" OR CommandLine="secret") OR(index=os sourcetype="macos_secure" event_type="execve" CommandLine="password" OR CommandLine="credential" OR CommandLine="passwd" OR CommandLine="secret")\
| eval mitre_category="Unsecured Credentials"\
| eval mitre_technique="Credential Dumping"\
| eval mitre_technique_id="T1552"\
| eval mitre_subtechnique="Credentials In Files"\
| eval mitre_subtechnique_id="T1552.001" \
| eval hunting_trigger="Commands indicating credential searches in files"\
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id mitre_subtechnique mitre_subtechnique_id apt hunting_trigger\
| collect `jarvis_index`

[[T1552.001] Credentials In Files - 	File Access]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 7-59/15 * * * *
description = Unauthorized access to files containing credentials\
https://attack.mitre.org/techniques/T1552/001/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`windows-security` EventCode=4663 ObjectName IN ("password", "credential", "secret", "token")) OR (`sysmon` EventCode=11 TargetObject IN ("password", "credential", "secret", "token")) OR(index=os sourcetype="linux_audit" action="open" filepath IN ("password", "credential", "passwd", "shadow", ".pem", ".key", "secret", "token")) OR(index=os sourcetype="macos_secure" event_type="open" file_path IN ("password", "credential", "passwd", "shadow", ".pem", ".key", "secret", "token"))\
| eval mitre_category="Unsecured Credentials"\
| eval mitre_technique="Credential Dumping"\
| eval mitre_technique_id="T1552"\
| eval mitre_subtechnique="Credentials In Files"\
| eval mitre_subtechnique_id="T1552.001" \
| eval hunting_trigger="Unauthorized access to files containing credentials"\
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id mitre_subtechnique mitre_subtechnique_id apt hunting_trigger\
| collect `jarvis_index`

[[T1552.001] Credentials In Files - 	Process Creation]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 7-59/15 * * * *
description = Credentials in Files & Registry\
https://attack.mitre.org/techniques/T1552/001/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688")\
CommandLine="reg query HKLM /f password /t REG_SZ /s" ORCommandLine="reg query HKCU /f password /t REG_SZ /s" ORCommandLine="Get-UnattendedInstallFile" ORCommandLine="Get-Webconfig" ORCommandLine="Get-ApplicationHost" ORCommandLine="Get-SiteListPassword" ORCommandLine="Get-CachedGPPPassword" ORCommandLine="Get-RegistryAutoLogon*"\
| eval mitre_category="Unsecured Credentials"\
| eval mitre_technique="Credential Dumping"\
| eval mitre_technique_id="T1552"\
| eval mitre_subtechnique="Credentials In Files"\
| eval mitre_subtechnique_id="T1552.001" \
| eval hunting_trigger="Credentials in Files & Registry"\
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id mitre_subtechnique mitre_subtechnique_id apt hunting_trigger\
| collect `jarvis_index`

[[T1112] Modify Registry - (sysmon)]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.\
https://attack.mitre.org/techniques/T1112/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` (RuleName="technique_id=T1112,technique_name=Modify Registry")\
| eval hash_sha256= lower(hash_sha256)\
| eval hunting_trigger="sysmon - hide configuration information within Registry keys"\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="Modify Registry" \
| eval mitre_technique_id="T1112" \
| eval mitre_subtechnique="" \
| eval mitre_subtechnique_id="" \
| eval apt="Volt Typhoon"\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1547.001] Registry Run Keys / Start Folder - (sysmon)]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key\
https://attack.mitre.org/techniques/T1547/001/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` RuleName="technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder"\
| eval hash_sha256= lower(hash_sha256)\
| eval hunting_trigger="sysmon - Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key."\
| eval mitre_category=mvappend("Persistence","Privilege_Escalation")\
| eval mitre_technique="Boot or Logon Autostart Execution" \
| eval mitre_technique_id="T1547" \
| eval mitre_subtechnique="Registry Run Keys / Start Folder" \
| eval mitre_subtechnique_id="T1547.001"\
| eval apt=mvappend("APT28","APT29","Lazarus Group","Magic Hound")\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1018] Remote System Discovery - (sysmon)]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.\
https://attack.mitre.org/techniques/T1018/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` RuleName="technique_id=T1018,technique_name=Remote System Discovery"\
| eval hash_sha256= lower(hash_sha256)\
| eval hunting_trigger="sysmon - Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system."\
| eval mitre_category="Discovery"\
| eval mitre_technique="Remote System Discovery" \
| eval mitre_technique_id="T1018" \
| eval mitre_subtechnique="" \
| eval mitre_subtechnique_id=""\
| eval apt=mvappend("Volt Typhoon",""),\
mitre_link="https://attack.mitre.org/techniques/T1018/",\
creator="Cpl Iverson",\
upload_date="2024/12/03",\
last_modify_date="2024/12/03",\
mitre_version="v16",\
priority="High"\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id mitre_subtechnique_id mitre_subtechnique apt hunting_trigger mitre_link upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1053.002] AT - (sysmon)]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code.https://attack.mitre.org/techniques/T1053/002/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` RuleName="technique=T1053.002,technique_name=At"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="sysmon - Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code.",\
mitre_category=mvappend("Execution","Persistence","Privilege_Escalation"),\
mitre_technique="Scheduled Task/Job",\
mitre_technique_id="T1053",\
mitre_subtechnique="At", \
mitre_subtechnique_id="T1053.002",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1053/002/",\
creator="Cpl Iverson",\
upload_date="2024/12/03",\
last_modify_date="2024/12/03",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id mitre_subtechnique_id mitre_subtechnique apt hunting_trigger mitre_link upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1123] Audio Capture - (sysmon)]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = adversary can leverage a computer's peripheral devices\
https://attack.mitre.org/techniques/T1123/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` RuleName="technique_id=T1123,technique_name=Audio Capture"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="sysmon - An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams)",\
mitre_category=mvappend("Collection",""),\
mitre_technique="Audio Capture",\
mitre_technique_id="T1123",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1123/",\
creator="Cpl Iverson",\
upload_date="2024/12/03",\
last_modify_date="2024/12/03",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id mitre_subtechnique_id mitre_subtechnique apt hunting_trigger mitre_link upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1137] Office Application Startup - (sysmon)]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = Adversaries may leverage Microsoft Office-based applications for persistence between startups.\
https://attack.mitre.org/techniques/T1137/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` RuleName="technique_id=T1137,technique_name=Office Application Startup"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="sysmon - Adversaries may leverage Microsoft Office-based applications for persistence between startups.",\
mitre_category=mvappend("Persistence",""),\
mitre_technique="Office Application Startup",\
mitre_technique_id="T1137",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1137/",\
creator="Cpl Iverson",\
upload_date="2024/12/03",\
last_modify_date="2024/12/03",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id mitre_subtechnique_id mitre_subtechnique apt hunting_trigger mitre_link upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1546.011] Event Triggered Execution - (sysmon)]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.\
https://attack.mitre.org/techniques/T1546/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` RuleName="technique_id=T1546.011,technique_name=Application Shimming"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="sysmon - Adversaries may abuse Internet browser extensions to establish persistent access to victim systems.",\
mitre_category=mvappend("Privilege_Escalation","Persistence"),\
mitre_technique="Event Triggered Execution",\
mitre_technique_id="T1546",\
mitre_subtechnique="Application Shimming", \
mitre_subtechnique_id="T1546.011",\
apt=mvappend("FIN7",""),\
mitre_link="https://attack.mitre.org/techniques/T1546/011/",\
creator="Cpl Iverson",\
upload_date="2024/12/03",\
last_modify_date="2024/12/03",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id mitre_subtechnique_id mitre_subtechnique apt hunting_trigger mitre_link upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1189] Drive-by Compromise - (sysmon)]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.\
https://attack.mitre.org/techniques/T1189/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` RuleName="technique_id=T1189,technique_name=Drive-by Compromise"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="sysmon - Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.",\
mitre_category=mvappend("Initial_Access",""),\
mitre_technique="Browser Extensions",\
mitre_technique_id="T1189",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt=mvappend("Kimsuky",""),\
mitre_link="https://attack.mitre.org/techniques/T1189/",\
creator="Cpl Iverson",\
upload_date="2024/12/03",\
last_modify_date="2024/12/03",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id mitre_subtechnique_id mitre_subtechnique apt hunting_trigger mitre_link upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1546.001] Change Default File Association]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */8 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` (event_id=12 OR event_id=13 OR event_id=14) (registry_key_path="*\\SOFTWARE\\Classes\\*\\*" OR registry_key_path="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\GlobalAssocChangedCounter")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may establish persistence by executing malicious content triggered by a file type association.",\
mitre_category=mvappend("Privilege_Escalation","Persistence"),\
mitre_technique="Event Triggered Execution",\
mitre_technique_id="T1546",\
mitre_subtechnique="Change Default File Association", \
mitre_subtechnique_id="T1546.001",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1546/001/",\
creator="Cpl Iverson",\
upload_date="prior 2024",\
last_modify_date="2024/12/03",\
mitre_version="v16",\
priority="",\
notes="upgraded to v16"\
| transaction maxspan=1s process_id\
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[Top Users Failing Authentication]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
description = Something from SecEssentials
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = verbose
display.visualizations.show = 0
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
search = (index=windows OR index=main) AND (action=fail* OR action=block*) AND (source=*win*security OR sourcetype=linux_secure) user!=""\
| stats count by user\
| stats sum(count) as count by user\
| sort - count

[[T1070.003] Cisco Clear Logs]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = Clear command history in network OS which is used for defense evasion\
https://github.com/SigmaHQ/sigma/blob/master/rules/network/cisco/aaa/cisco_cli_clear_logs.yml
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `syslog` AND ("clear logging" OR "clear archive")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Clear command history in network OS which is used for defense evasion",\
mitre_category="Defense_Evasion",\
mitre_technique="Indicator Removal on Host",\
mitre_technique_id="T1070",\
mitre_subtechnique="Clear Command History", \
mitre_subtechnique_id="T1070.003",\
apt="",\
mitre_link="https://github.com/SigmaHQ/sigma/blob/master/rules/network/cisco/aaa/cisco_cli_clear_logs.yml",\
creator="Cpl Iverson",\
upload_date="2024/11/20",\
last_modify_date="2024/12/04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1037] Boot or Logon initalization Scripts - Syslog Config Changes]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 8-59/15 * * * *
description = Config changes\
https://blog.frohrer.com/selecting-and-creating-detection-rules-with-syslog-and-splunk/
dispatch.earliest_time = 1
dispatch.latest_time = now
display.page.search.mode = fast
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
schedule_priority = highest
schedule_window = auto
search = `indextime` `syslog` "Configuration change"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Clear command history in network OS which is used for defense evasion",\
mitre_category=mvappend("Persistence","Privilege_Escalation"),\
mitre_technique="Boot or Logon Initialization Scripts",\
mitre_technique_id="T1037",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="https://github.com/SigmaHQ/sigma/blob/master/rules/network/cisco/aaa/cisco_cli_clear_logs.yml",\
creator="Cpl Iverson",\
upload_date="2024/11/20",\
last_modify_date="2024/12/04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1546.015] Component Object Model Hijacking]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 4-59/15 * * * *
description = Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.\
https://attack.mitre.org/techniques/T1546/015/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` EventCode IN (12, 13, 14) (TargetObject=\Software\Classes\CLSID*)\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.",\
mitre_category=mvappend("Persistence","Defense_Evasion"),\
mitre_technique="Event Triggered Execution",\
mitre_technique_id="T1546",\
mitre_subtechnique="Component Object Model Hijacking", \
mitre_subtechnique_id="T1546.015",\
apt=mvappend("APT28",""),\
mitre_link="https://attack.mitre.org/techniques/T1546/015/",\
creator="Cpl Iverson",\
upload_date="prior 2024",\
last_modify_date="2024/12/03",\
mitre_version="v16",\
priority=""\
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path  process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T0000] Console History]
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
disabled = 0
enableSched = 1
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_command_line="*Get-History*" OR process_command_line="*AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt*" OR process_command_line="*(Get-PSReadlineOption).HistorySavePath*") \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="",\
mitre_category="Collection",\
mitre_technique="Console History",\
mitre_technique_id="T0000",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="",\
creator="",\
upload_date="2024/01/01",\
last_modify_date="2024/12/03",\
mitre_version="",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 9-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search

[[T1546.008] Accessibility Features]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 11-59/15 * * * *
description = https://attack.mitre.org/techniques/T1546/008/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` event_id=1 process_parent_name="winlogon.exe" (process_name="sethc.exe" OR process_name="utilman.exe" OR process_name="osk.exe" OR process_name="magnify.exe" OR process_name="displayswitch.exe" OR process_name="narrator.exe" OR process_name="atbroker.exe") \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="MITRE - Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features.",\
mitre_category=mvappend("Persistence","Privilege_Escalation"),\
mitre_technique="Event Triggered Execution",\
mitre_technique_id="T1546",\
mitre_subtechnique="Accessibility Features", \
mitre_subtechnique_id="T1546.008",\
apt=mvappend("APT3","APT29","APT41","Fox Kitten"),\
mitre_link="https://attack.mitre.org/techniques/T1546/008/",\
creator="Threathunting",\
upload_date="ThreatHunting",\
last_modify_date="2024/12/04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[All Volt Typhoon T-codes] Hunt Tool]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 2 * * *
description = shows all t codes for the day with Volt Typhoon
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `jarvis_index` mitre_technique_id IN (T1010,T1217,T1555,T1005,T1074,T1006,T1546,T1190,T1068,T1133,T1083,T1592,T1589,T1590,T1591,T1105,T1570,T1654,T1112,T1046,T1095,T1571,T1120,T1069,T1057,T1090,T1012,T1018,T1113,T1593,T1594,T1518,T1218,T1082,T1614,T1016,T1049,T1033,T1007,T1124,T1552,T1078,T1047) OR mitre_subtechnique_id IN (T1087.001,T1087.002,T1583.003,T1071.001,T1560.001,T1059.001,T1059.003,T1059.004,T1584.003,T1584.004,T1584.005,T1584.008,T1555.003,T1074.001,T1587.001,T1587.004,T1573.001,T1573.002,T1222.002,T1589.002,T1590.004,T1590.006,T1591.004,T1562.001,T1070.001,T1070.004,T1070.007,T1056.001,T1036.004,T1036.005,T1036.008,T1027.002,T1588.002,T1588.006,T1003.001,T1003.003,T1069.001,T1069.002,T1055.009,T1090.001,T1090.003,T1021.001,T1596.005,T1505.003,T1518.001,T1016.001,T1552.004,T1078.002,T1497.001)\
| dedup _time\
| stats count as mitre_technique_id

[[T1217] Browser Bookmark Discovery]
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
disabled = 0
enableSched = 1
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_command_line="*firefox*places.sqlite*") \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Clear command history in network OS which is used for defense evasion",\
mitre_category=mvappend("Discovery",""),\
mitre_technique="Browser Bookmark Discovery",\
mitre_technique_id="T1217",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="Volt Typhoon",\
mitre_link="",\
creator="Cpl Iverson",\
upload_date="2024/01/01",\
last_modify_date="2024/12/04",\
mitre_version="v16",\
priority="high"\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_gui mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 2-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search

[[T1562.001] Impair Defenses_Analytic_2]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 11-59/15 * * * *
description = https://attack.mitre.org/techniques/T1562/001/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` (source="WinEventLog:System" EventCode="7036") ServiceName="Windows Defender" OR ServiceName="Windows Firewall" AND ServiceName="stopped*"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="User Activity from Stopping Windows Defensive Services",\
mitre_category="Defense_Evasion",\
mitre_technique="Impair Defenses",\
mitre_technique_id="T1562",\
mitre_subtechnique="Disable or Modify Tools",\
mitre_subtechnique_id="T1562.001",\
apt=mvappend("Agrius","Aquatic Panda","BRONZE BUTLER","Ember Bear","FIN6","Gamaredon Group","Gorgon Group","INC Ransom","Indrik Spider","Kimsuky","Lazarus Group","Magic Hound","MuddyWater","Play","Putter Panda","Rocke","Saint Bear","TA2541","TA505","TeamTNT","Turla","Wizard Spider"),\
mitre_link="https://attack.mitre.org/techniques/T1562/001/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1110] Brute Force - Volt Typhoon]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 4-59/15 * * * *
description = klippel check this and refine
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `syslog` dnac AND User=* AND Privilege_Level=15 NOT (UserName=sdn.svc OR User=neo)\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Campaign in December 2024",\
mitre_category="Credential_Access",\
mitre_technique="Brute Force",\
mitre_technique_id="T1110",\
mitre_subtechnique="Password Cracking", \
mitre_subtechnique_id="T1110.002",\
apt="Volt Typhoon",\
mitre_link="https://attack.mitre.org/techniques/T1110/002/",\
creator="Cpl Iverson",\
upload_date="2024/12/05",\
last_modify_date="2024/12/05",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1562.001] Impair Defenses_Analytic_1]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = https://attack.mitre.org/techniques/T1562/001/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") Image="C:\Windows\System32\sc.exe" (CommandLine="sc config" OR CommandLine="sc stop" OR CommandLine="sc query" )\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Detecting Tampering of Windows Defender Command Prompt",\
mitre_category="Unknown",\
mitre_technique="Impair Defenses",\
mitre_technique_id="T1562",\
mitre_subtechnique="Disable or Modify Tools",\
mitre_subtechnique_id="T1562.001",\
apt=mvappend("Agrius","Aquatic Panda","BRONZE BUTLER","Ember Bear","FIN6","Gamaredon Group","Gorgon Group","INC Ransom","Indrik Spider","Kimsuky","Lazarus Group","Magic Hound","MuddyWater","Play","Putter Panda","Rocke","Saint Bear","TA2541","TA505","TeamTNT","Turla","Wizard Spider"),\
mitre_link="https://attack.mitre.org/techniques/T1562/001/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1560] Archive Collected Data]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 14-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="powershell.exe" AND process_command_line="*-Recurse | Compress-Archive*") OR (process_name="rar.exe" AND process_command_line="rar*a*") OR process_name="7z.exe" OR process_name="*zip.exe"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Command Line Usage of Archiving Software",\
mitre_category="Collection",\
mitre_technique="Archive Collected Data",\
mitre_technique_id="T1560",\
mitre_subtechnique="Archive via Utility",\
mitre_subtechnique_id="T1560.001",\
apt=mvappend("APT1","APT28","APT3","APT33","APT39","APT41","APT5","Agrius","Akira","Aquatic Panda","BRONZE BUTLER","Chimera","CopyKittens","Earth Lusca","FIN13","FIN8","Fox Kitten","GALLIUM","Gallmaker","HAFNIUM","INC Ransom","Ke3chang","Kimsuky","Magic Hound","MuddyWater","Mustang Panda","Play","RedCurl","Sowbug","ToddyCat","Turla","Volt Typhoon","Wizard Spider","menuPass"),\
mitre_link="https://attack.mitre.org/techniques/T1560/001/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| `file_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1555.003] Credentials from Password Stores_Analytic_4]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 14-59/15 * * * *
description = https://attack.mitre.org/techniques/T1555/003/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` `sysmon` event_type="process"(CommandLine IN ("sqlite3 logins", "sqlcipher logins", "db-browser Login Data", "db-browser logins.json", "CryptUnprotectData", "security find-internet-password", "security dump-keychain", "strings Login Data", "cat Login Data", "cat logins.json", "sqlite3 signons.sqlite"))\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Unauthorized process access indicating credential searches in web browsers.",\
mitre_category="Credential_Access",\
mitre_technique="Credentials from Password Stores",\
mitre_technique_id="T1555",\
mitre_subtechnique="Credentials from Web Browsers",\
mitre_subtechnique_id="T1555.003",\
apt=mvappend("APT3","APT33","APT37","APT41","Ajax Security Team","FIN6","HEXANE","Inception","Kimsuky","LAPSUS$","Leafminer","Malteiro","Molerats","MuddyWater","OilRig","Patchwork","RedCurl","Sandworm Team","Stealth Falcon","TA505","Volt Typhoon","ZIRCONIUM"),\
mitre_link="https://attack.mitre.org/techniques/T1555/003/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1555.003] Credentials from Password Stores_Analytic_3]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 14-59/15 * * * *
description = https://attack.mitre.org/techniques/T1555/003/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` `sysmon` event_type="api_call"(api IN ("CryptUnprotectData", "NSS_Init", "PK11SDR_Decrypt", "SecItemCopyMatching", "SecItemAdd", "SecItemUpdate", "SecItemDelete"))\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Suspicious API calls related to web browser credential access.",\
mitre_category="Credential_Access",\
mitre_technique="Credentials from Password Stores",\
mitre_technique_id="T1555",\
mitre_subtechnique="Credentials from Web Browsers",\
mitre_subtechnique_id="T1555.003",\
apt=mvappend("APT3","APT33","APT37","APT41","Ajax Security Team","FIN6","HEXANE","Inception","Kimsuky","LAPSUS$","Leafminer","Malteiro","Molerats","MuddyWater","OilRig","Patchwork","RedCurl","Sandworm Team","Stealth Falcon","TA505","Volt Typhoon","ZIRCONIUM"),\
mitre_link="https://attack.mitre.org/techniques/T1555/003/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1555.003] Credentials from Password Stores_Analytic_2]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 14-59/15 * * * *
description = https://attack.mitre.org/techniques/T1555/003/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` `sysmon` event_type="file_open"((file_path IN ("\AppData\Local\Google\Chrome\User Data\Default\Login Data", "\AppData\Local\Microsoft\Edge\User Data\Default\Login Data", "\AppData\Roaming\Mozilla\Firefox\Profiles\\logins.json") AND Platform="Windows") OR (file_path IN ("/home//.mozilla/firefox//logins.json", "/home//.config/google-chrome/Default/Login Data") AND Platform="Linux") OR (file_path IN ("/Users//Library/Application Support/Google/Chrome/Default/Login Data", "/Users//Library/Application Support/Firefox/Profiles//logins.json") AND Platform="macOS"))\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Unauthorized access to web browser credential files.",\
mitre_category="Credential_Access",\
mitre_technique="Credentials from Password Stores",\
mitre_technique_id="T1555",\
mitre_subtechnique="Credentials from Web Browsers",\
mitre_subtechnique_id="T1555.003",\
apt=mvappend("APT3","APT33","APT37","APT41","Ajax Security Team","FIN6","HEXANE","Inception","Kimsuky","LAPSUS$","Leafminer","Malteiro","Molerats","MuddyWater","OilRig","Patchwork","RedCurl","Sandworm Team","Stealth Falcon","TA505","Volt Typhoon","ZIRCONIUM"),\
mitre_link="https://attack.mitre.org/techniques/T1555/003/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1555.003] Credentials from Password Stores_Analytic_1]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 14-59/15 * * * *
description = https://attack.mitre.org/techniques/T1555/003/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` `sysmon` event_type="process"(CommandLine IN ("sqlite3 logins", "CryptUnprotectData", "security find-internet-password", "sqlcipher logins", "strings Login Data", "cat Login Data", "cat logins.json", "sqlite3 signons.sqlite"))\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Commands indicating credential searches in web browsers.",\
mitre_category="Credential_Access",\
mitre_technique="Credentials from Password Stores",\
mitre_technique_id="T1555",\
mitre_subtechnique="Credentials from Web Browsers",\
mitre_subtechnique_id="T1555.003",\
apt=mvappend("APT3","APT33","APT37","APT41","Ajax Security Team","FIN6","HEXANE","Inception","Kimsuky","LAPSUS$","Leafminer","Malteiro","Molerats","MuddyWater","OilRig","Patchwork","RedCurl","Sandworm Team","Stealth Falcon","TA505","Volt Typhoon","ZIRCONIUM"),\
mitre_link="https://attack.mitre.org/techniques/T1555/003/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1552.004] Unsecured Credentials_Analytic_2]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = https://attack.mitre.org/techniques/T1552/004/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`windows-security` EventCode=4663 ObjectName IN (".key", ".pgp", ".gpg", ".ppk", ".p12", ".pem", ".pfx", ".cer", ".p7b", ".asc", "private key", "certificate")) OR(`sysmon` EventCode=11 TargetObject IN (".key", ".pgp", ".gpg", ".ppk", ".p12", ".pem", ".pfx", ".cer", ".p7b", ".asc", "private key", "certificate"))\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Unauthorized access to cryptographic key files.",\
mitre_category="Credential_Access",\
mitre_technique="Unsecured Credentials",\
mitre_technique_id="T1552",\
mitre_subtechnique="Private Keys",\
mitre_subtechnique_id="T1552.004",\
apt=mvappend("Rocke","Scattered Spider","TeamTNT","Volt Typhoon"),\
mitre_link="https://attack.mitre.org/techniques/T1552/004/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1552.004] Unsecured Credentials_Analytic_1]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = https://attack.mitre.org/techniques/T1552/004/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`windows-security` EventCode=4688 CommandLine="private key" OR CommandLine="certificate" OR CommandLine IN (".key", ".pgp", ".gpg", ".ppk", ".p12", ".pem", ".pfx", ".cer", ".p7b", ".asc")) OR(`sysmon` EventCode=1 CommandLine="private key" OR CommandLine="certificate" OR CommandLine IN (".key", ".pgp", ".gpg", ".ppk", ".p12", ".pem", ".pfx", ".cer", ".p7b", ".asc"))\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Commands indicating searches for private keys.",\
mitre_category="Credential_Access",\
mitre_technique="Unsecured Credentials",\
mitre_technique_id="T1552",\
mitre_subtechnique="Private Keys",\
mitre_subtechnique_id="T1552.004",\
apt=mvappend("Rocke","Scattered Spider","TeamTNT","Volt Typhoon"),\
mitre_link="https://attack.mitre.org/techniques/T1552/004/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1505.003] Server Software Component_Analytic_1]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */8 * * * *
description = https://attack.mitre.org/techniques/T1505/003/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") (ParentImage="C:\Windows\System32\w3wp.exe" OR ParentImage="httpd.exe" OR ParentImage="tomcat.exe" OR ParentImage="nginx.exe")(Image="C:\Windows\System32\cmd.exe OR Image="C:\Windows\SysWOW64\cmd.exe" OR Image="C:\Windows\System32\\powershell.exe OR Image="C:\Windows\SysWOW64\\powershell.exe OR Image="C:\Windows\System32\net.exe" OR Image="C:\Windows\System32\hostname.exe" OR Image="C:\Windows\System32\whoami.exe" OR Image="systeminfo.exe OR Image="C:\Windows\System32\ipconfig.exe")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Webshell-Indicative Process Tree",\
mitre_category="Persistence",\
mitre_technique="Server Software Component",\
mitre_technique_id="T1505",\
mitre_subtechnique="Web Shell",\
mitre_subtechnique_id="T1505.003",\
apt=mvappend("APT28","APT29","APT32","APT38","APT39","APT5","Agrius","BackdoorDiplomacy","CURIUM","Deep Panda","Dragonfly","Ember Bear","FIN13","Fox Kitten","GALLIUM","HAFNIUM","Kimsuky","Leviathan","Magic Hound","Moses Staff","OilRig","Sandworm Team","Threat Group-3390","Tonto Team","Tropic Trooper","Volatile Cedar","Volt Typhoon"),\
mitre_link="https://attack.mitre.org/techniques/T1505/003/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1112] Modify Registry_Analytic_8]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 2-15/15 * * * *
description = https://attack.mitre.org/techniques/T1112/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`windows-security` EventCode="4657" ObjectValueName="Common Startup") OR (`sysmon` EventCode="13" TargetObject="*Common Startup")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Modification of Default Startup Folder in the Registry Key 'Common Startup'",\
mitre_category="Defense_Evasion",\
mitre_technique="Modify Registry",\
mitre_technique_id="T1112",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=mvappend("APT19","APT32","APT38","APT41","Aquatic Panda","Blue Mockingbird","Dragonfly","Earth Lusca","Ember Bear","FIN8","Gamaredon Group","Gorgon Group","Indrik Spider","Kimsuky","LuminousMoth","Magic Hound","Patchwork","Saint Bear","Silence","TA505","Threat Group-3390","Turla","Volt Typhoon","Wizard Spider"),\
mitre_link="https://attack.mitre.org/techniques/T1112/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1112] Modify Registry_Analytic_7]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 2-15/15 * * * *
description = https://attack.mitre.org/techniques/T1112/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `windows-security` EventCode="4657" (ObjectValueName="Userinit" OR ObjectValueName="Shell" OR ObjectValueName="Notify") OR `sysmon` EventCode="13" (TargetObject="Userinit" OR TargetObject="Shell" OR TargetObject="*Notify")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Registry Edit with Modification of Userinit, Shell or Notify",\
mitre_category="Defense_Evasion",\
mitre_technique="Modify Registry",\
mitre_technique_id="T1112",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=mvappend("APT19","APT32","APT38","APT41","Aquatic Panda","Blue Mockingbird","Dragonfly","Earth Lusca","Ember Bear","FIN8","Gamaredon Group","Gorgon Group","Indrik Spider","Kimsuky","LuminousMoth","Magic Hound","Patchwork","Saint Bear","Silence","TA505","Threat Group-3390","Turla","Volt Typhoon","Wizard Spider"),\
mitre_link="https://attack.mitre.org/techniques/T1112/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1112] Modify Registry_Analytic_4]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 2-15/15 * * * *
description = https://attack.mitre.org/techniques/T1112/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") (CommandLine="reg" AND CommandLine="add" AND CommandLine="/d") OR (CommandLine="Set-ItemProperty" AND CommandLine="-value") CommandLine="Common Startup"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Modification of Default Startup Folder in the Registry Key 'Common Startup'",\
mitre_category="Defense_Evasion",\
mitre_technique="Modify Registry",\
mitre_technique_id="T1112",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=mvappend("APT19","APT32","APT38","APT41","Aquatic Panda","Blue Mockingbird","Dragonfly","Earth Lusca","Ember Bear","FIN8","Gamaredon Group","Gorgon Group","Indrik Spider","Kimsuky","LuminousMoth","Magic Hound","Patchwork","Saint Bear","Silence","TA505","Threat Group-3390","Turla","Volt Typhoon","Wizard Spider"),\
mitre_link="https://attack.mitre.org/techniques/T1112/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1112] Modify Registry_Analytic_3]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 2-15/15 * * * *
description = https://attack.mitre.org/techniques/T1112/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") ((CommandLine="reg" CommandLine="add" CommandLine="/d") OR ((CommandLine="Set-ItemProperty" OR CommandLine="New-ItemProperty") AND CommandLine="-value")) CommandLine="\Microsoft\Windows NT\CurrentVersion\Winlogon" (CommandLine="Userinit" OR CommandLine="Shell" OR CommandLine="Notify")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Registry Edit with Modification of Userinit, Shell or Notify",\
mitre_category="Defense_Evasion",\
mitre_technique="Modify Registry",\
mitre_technique_id="T1112",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=mvappend("APT19","APT32","APT38","APT41","Aquatic Panda","Blue Mockingbird","Dragonfly","Earth Lusca","Ember Bear","FIN8","Gamaredon Group","Gorgon Group","Indrik Spider","Kimsuky","LuminousMoth","Magic Hound","Patchwork","Saint Bear","Silence","TA505","Threat Group-3390","Turla","Volt Typhoon","Wizard Spider"),\
mitre_link="https://attack.mitre.org/techniques/T1112/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1112] Modify Registry_Analytic_2]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 2-15/15 * * * *
description = https://attack.mitre.org/techniques/T1112/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") ((CommandLine="reg" CommandLine="add" CommandLine="/d") OR ((CommandLine="Set-ItemProperty" OR CommandLine="New-ItemProperty") AND CommandLine="-value")) CommandLine="\Microsoft\Windows NT\CurrentVersion\Winlogon" (CommandLine="Userinit" OR CommandLine="Shell" OR CommandLine="Notify")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Monitor processes and command-line arguments for actions that could be taken to change, conceal, and/or delete information in the Registry. (i.e. reg.exe, regedit.exe).",\
mitre_category="Defense_Evasion",\
mitre_technique="Modify Registry",\
mitre_technique_id="T1112",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=mvappend("APT19","APT32","APT38","APT41","Aquatic Panda","Blue Mockingbird","Dragonfly","Earth Lusca","Ember Bear","FIN8","Gamaredon Group","Gorgon Group","Indrik Spider","Kimsuky","LuminousMoth","Magic Hound","Patchwork","Saint Bear","Silence","TA505","Threat Group-3390","Turla","Volt Typhoon","Wizard Spider"),\
mitre_link="https://attack.mitre.org/techniques/T1112/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1112] Modify Registry_Analytic_1]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 2-15/15 * * * *
description = https://attack.mitre.org/techniques/T1112/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (dest_port="445" AND proto_info.pipe="WINREG") OR (proto_info.function="Create" OR proto_info.function="SetValue")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Remote Registry",\
mitre_category="Defense_Evasion",\
mitre_technique="Modify Registry",\
mitre_technique_id="T1112",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=mvappend("APT19","APT32","APT38","APT41","Aquatic Panda","Blue Mockingbird","Dragonfly","Earth Lusca","Ember Bear","FIN8","Gamaredon Group","Gorgon Group","Indrik Spider","Kimsuky","LuminousMoth","Magic Hound","Patchwork","Saint Bear","Silence","TA505","Threat Group-3390","Turla","Volt Typhoon","Wizard Spider"),\
mitre_link="https://attack.mitre.org/techniques/T1112/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1078.002] Valid Accounts_Analytic_1]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 11-59/15 * * * *
description = https://attack.mitre.org/techniques/T1078/002/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`windows-security` EventCode="4624") AuthenticationPackageName= "Negotiate" AND Severity= "Information" AND logon_type= "10"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Remote Desktop Logon",\
mitre_category=mvappend("Defense_Evasion","Persistence","Privilege_Escalation", "Initial_Access"),\
mitre_technique="Valid Accounts",\
mitre_technique_id="T1078",\
mitre_subtechnique="Domain Accounts",\
mitre_subtechnique_id="T1078.002",\
apt=mvappend("APT3","APT5","Agrius","Aquatic Panda","Chimera","Cinnamon Tempest","Indrik Spider","Magic Hound","Naikon","Play","Sandworm Team","TA505","Threat Group-1314","ToddyCat","Volt Typhoon","Wizard Spider"),\
mitre_link="https://attack.mitre.org/techniques/T1078/002/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1069.001] Permission Groups Discovery_Analytic_2]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 8-59/15 * * * *
description = https://attack.mitre.org/techniques/T1069/001/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") Image="net.exe" AND (  CommandLine="net user" OR  CommandLine="net group" OR  CommandLine="net localgroup" OR  CommandLine="get-localgroup" OR  CommandLine="get-ADPrincipalGroupMembership*" )\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Local Permission Group Discovery",\
mitre_category="Discovery",\
mitre_technique="Permission Groups Discovery",\
mitre_technique_id="T1069",\
mitre_subtechnique="Local Groups",\
mitre_subtechnique_id="T1069.001",\
apt=mvappend("Chimera","HEXANE","OilRig","Tonto Team","Turla","Volt Typhoon","admin@338"),\
mitre_link="https://attack.mitre.org/techniques/T1069/001/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1069.001] Permission Groups Discovery_Analytic_1]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 8-59/15 * * * *
description = https://attack.mitre.org/techniques/T1069/001/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") Image="net.exe" AND (  CommandLine="net user" OR  CommandLine="net group" OR  CommandLine="net localgroup" OR  CommandLine="get-localgroup" OR  CommandLine="get-ADPrincipalGroupMembership*" )\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Any instances of net.exe used for local user/group discovery; although this utility is not normally used for benign purposes, such usage by system administrator actions may trigger false positives.",\
mitre_category="Discovery",\
mitre_technique="Permission Groups Discovery",\
mitre_technique_id="T1069",\
mitre_subtechnique="Local Groups",\
mitre_subtechnique_id="T1069.001",\
apt=mvappend("Chimera","HEXANE","OilRig","Tonto Team","Turla","Volt Typhoon","admin@338"),\
mitre_link="https://attack.mitre.org/techniques/T1069/001/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1059.004] Command and Scripting Interpreter_Analytic_1]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1059/004/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` sourcetype="linux_logs" CommandLine="sh -c" AND (CommandLine="wget" OR CommandLine="curl" OR CommandLine="nc" OR CommandLine="perl")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Unusual command execution",\
mitre_category="Execution",\
mitre_technique="Command and Scripting Interpreter",\
mitre_technique_id="T1059",\
mitre_subtechnique="Unix Shell",\
mitre_subtechnique_id="T1059.004",\
apt=mvappend("APT41","Aquatic Panda","Rocke","TeamTNT","Volt Typhoon"),\
mitre_link="https://attack.mitre.org/techniques/T1059/004/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1059.003] Command and Scripting Interpreter_Analytic_2]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1059/003/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") AND CommandLine="cmd.exe" AND (CommandLine REGEXP "./c." OR CommandLine REGEXP ".._ \/k.*")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="This analytic attempts to identify suspicious programs spawning cmd by looking for programs that do not normally create cmd.",\
mitre_category="Execution",\
mitre_technique="Command and Scripting Interpreter",\
mitre_technique_id="T1059",\
mitre_subtechnique="Windows Command Shell",\
mitre_subtechnique_id="T1059.003",\
apt=mvappend("APT1","APT18","APT28","APT3","APT32","APT37","APT38","APT41","APT5","Agrius","Aquatic Panda","BRONZE BUTLER","Blue Mockingbird","Chimera","Cinnamon Tempest","Cobalt Group","Dark Caracal","Darkhotel","Dragonfly","FIN10","FIN13","FIN6","FIN7","FIN8","Fox Kitten","GALLIUM","Gamaredon Group","Gorgon Group","HAFNIUM","Higaisa","INC Ransom","Indrik Spider","Ke3chang","Kimsuky","Lazarus Group","LazyScripter","Machete","Magic Hound","Metador","MuddyWater","Mustang Panda","Nomadic Octopus","OilRig","Patchwork","Play","Rancor","RedCurl","Saint Bear","Silence","Sowbug","Suckfly","TA505","TA551","TA577","TeamTNT","Threat Group-1314","Threat Group-3390","ToddyCat","Tropic Trooper","Turla","Volt Typhoon","Winter Vivern","Wizard Spider","ZIRCONIUM","admin@338","menuPass"),\
mitre_link="https://attack.mitre.org/techniques/T1059/003/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1016] System Network Configuration Discovery_Analytic_2]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1016
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") AND  (Image="C:\Windows\System32\ipconfig.exe" OR   Image="C:\Windows\System32\route.exe" OR   Image="C:\Windows\System32\nbtstat.exe")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Suspicious Process",\
mitre_category="Discovery",\
mitre_technique="System Network Configuration Discovery",\
mitre_technique_id="T1016",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=mvappend("APT1","APT19","APT3","APT32","APT41","Chimera","Darkhotel","Dragonfly","Earth Lusca","FIN13","GALLIUM","HAFNIUM","HEXANE","Higaisa","Ke3chang","Kimsuky","Lazarus Group","Magic Hound","Moonstone Sleet","Moses Staff","MuddyWater","Mustang Panda","Naikon","OilRig","Play","SideCopy","Sidewinder","Stealth Falcon","TeamTNT","Threat Group-3390","Tropic Trooper","Turla","Volt Typhoon","Wizard Spider","ZIRCONIUM","admin@338","menuPass"),\
mitre_link="https://attack.mitre.org/techniques/T1016/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1016] System Network Configuration Discovery_Analytic_1]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1016
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") AND  (Image="C:\Windows\System32\ipconfig.exe" OR   Image="C:\Windows\System32\route.exe" OR   Image="C:\Windows\System32\nbtstat.exe")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="The Analytic looks for the creation of ipconfig, route, and nbtstat processes, all of which are system administration utilities that can be used for the purpose of system network configuration discovery. ",\
mitre_category="Discovery",\
mitre_technique="System Network Configuration Discovery",\
mitre_technique_id="T1016",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=mvappend("APT1","APT19","APT3","APT32","APT41","Chimera","Darkhotel","Dragonfly","Earth Lusca","FIN13","GALLIUM","HAFNIUM","HEXANE","Higaisa","Ke3chang","Kimsuky","Lazarus Group","Magic Hound","Moonstone Sleet","Moses Staff","MuddyWater","Mustang Panda","Naikon","OilRig","Play","SideCopy","Sidewinder","Stealth Falcon","TeamTNT","Threat Group-3390","Tropic Trooper","Turla","Volt Typhoon","Wizard Spider","ZIRCONIUM","admin@338","menuPass"),\
mitre_link="https://attack.mitre.org/techniques/T1016/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1012] Query Registry_Analytic_3]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1012
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") | search (CommandLine LIKE "%reg%" AND CommandLine LIKE "%query%") OR (CommandLine LIKE "%Registry%" AND (CommandLine LIKE "%HKEY_CLASSES_ROOT%" OR CommandLine "%HKCR%"))\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Suspicious Processes with Registry keys",\
mitre_category="Discovery",\
mitre_technique="Query Registry",\
mitre_technique_id="T1012",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=mvappend("APT32","APT39","APT41","Chimera","Daggerfly","Dragonfly","Fox Kitten","Indrik Spider","Kimsuky","Lazarus Group","OilRig","Stealth Falcon","Threat Group-3390","Turla","Volt Typhoon","ZIRCONIUM"),\
mitre_link="https://attack.mitre.org/techniques/T1012/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1003.003] OS Credential Dumping_Analytic_1]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1003/003
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` ((`powershell`  EventCode="800") AND((CommandLine LIKE "%ntds%" AND CommandLine LIKE "%ntdsutil%" AND CommandLine LIKE "%create%") OR (CommandLine LIKE "%vssadmin%" AND CommandLine LIKE "%create%" AND CommandLine LIKE "%shadow%") OR (CommandLine LIKE "%copy%" AND CommandLine LIKE "%ntds.dit%")))\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Command line attempt to access or create a copy of ntds.dit file",\
mitre_category="Credential_Access",\
mitre_technique="OS Credential Dumping",\
mitre_technique_id="T1003",\
mitre_subtechnique="NTDS",\
mitre_subtechnique_id="T1003.003",\
apt=mvappend("APT28","APT41","Chimera","Dragonfly","FIN13","FIN6","Fox Kitten","HAFNIUM","Ke3chang","LAPSUS$","Mustang Panda","Sandworm Team","Scattered Spider","Volt Typhoon","Wizard Spider","menuPass"),\
mitre_link="https://attack.mitre.org/techniques/T1003/003/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1003.001] OS Credential Dumping_Analytic_6]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1003/001
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` `windows-security` EventCode=4688 Image IN ("procdump.exe", "rundll32.exe", "taskmgr.exe", "powershell.exe") CommandLine IN (" -ma lsass", "rundll32.exe comsvcs.dll, MiniDump", "taskmgr.exe /dump", "powershell.exe -Command Get-Process lsass | Out-MemoryDump")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Unexpected process creation related to LSASS memory dumping.",\
mitre_category="Credential_Access",\
mitre_technique="OS Credential Dumping",\
mitre_technique_id="T1003",\
mitre_subtechnique="LSASS Memory",\
mitre_subtechnique_id="T1003.001",\
apt=mvappend("APT1","APT28","APT3","APT32","APT33","APT39","APT41","APT5","Agrius","Aquatic Panda","BRONZE BUTLER","Blue Mockingbird","Cleaver","Earth Lusca","Ember Bear","FIN13","FIN6","FIN8","Fox Kitten","GALLIUM","HAFNIUM","Indrik Spider","Ke3chang","Kimsuky","Leafminer","Leviathan","Magic Hound","Moonstone Sleet","MuddyWater","OilRig","PLATINUM","Play","RedCurl","Sandworm Team","Silence","Threat Group-3390","Volt Typhoon","Whitefly","Wizard Spider"),\
mitre_link="https://attack.mitre.org/techniques/T1003/001/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1003.001] OS Credential Dumping_Analytic_4]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1003/001
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` (`sysmon` EventCode="10" AND TargetImage= "lsass.exe" AND (GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418)CallTrace="C:\windows\SYSTEM32\ntdll.dll+|C:\windows\System32\KERNELBASE.dll+20edd|UNKNOWN(*)")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Mimikatz",\
mitre_category="Credential_Access",\
mitre_technique="OS Credential Dumping",\
mitre_technique_id="T1003",\
mitre_subtechnique="LSASS Memory",\
mitre_subtechnique_id="T1003.001",\
apt=mvappend("APT1","APT28","APT3","APT32","APT33","APT39","APT41","APT5","Agrius","Aquatic Panda","BRONZE BUTLER","Blue Mockingbird","Cleaver","Earth Lusca","Ember Bear","FIN13","FIN6","FIN8","Fox Kitten","GALLIUM","HAFNIUM","Indrik Spider","Ke3chang","Kimsuky","Leafminer","Leviathan","Magic Hound","Moonstone Sleet","MuddyWater","OilRig","PLATINUM","Play","RedCurl","Sandworm Team","Silence","Threat Group-3390","Volt Typhoon","Whitefly","Wizard Spider"),\
mitre_link="https://attack.mitre.org/techniques/T1003/001/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1003.003] OS Credential Dumping_Analytic_2]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1003/003
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` (`windows-security` EventCode IN (4656, 4663)) OR (`sysmon` EventCode="11") ANDObjectType="File" AND TargetFilename="*ntds.dit" AND (AccessList="%%4416" OR AccessList="%%4419" OR AccessList="%%4417" OR AccessList="%%4424")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Active Directory Dumping via NTDSUtil",\
mitre_category="Credential_Access",\
mitre_technique="OS Credential Dumping",\
mitre_technique_id="T1003",\
mitre_subtechnique="NTDS",\
mitre_subtechnique_id="T1003.003",\
apt=mvappend("APT28","APT41","Chimera","Dragonfly","FIN13","FIN6","Fox Kitten","HAFNIUM","Ke3chang","LAPSUS$","Mustang Panda","Sandworm Team","Scattered Spider","Volt Typhoon","Wizard Spider","menuPass"),\
mitre_link="https://attack.mitre.org/techniques/T1003/003/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1070] Indicator Removal on Host]
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
disabled = 0
enableSched = 1
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="wevtutil.exe" OR process_command_line="*wevtutil* cl*") NOT ("MsMpEng.exe" OR "*C:\\Windows\\System32\\msiexec.exe*" OR "9AC08E99-230B-47e8-9721-4577B7F124EA")\
| eval mitre_category="Defense_Evasion" \
| eval mitre_technique="Indicator Removal on Host" \
| eval mitre_technique_id="T1070" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 1-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search

[[T-Codes that are 0] Hunt Tool]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 4 * * *
description = show the reports that are hitting 0 currently.
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.charting.chart = area
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
schedule_priority = higher
schedule_window = auto
search = | rest /services/saved/searches\
| search search="*mitre_technique*"\
| search title="[T*"\
| table title\
| join type=outer title\
    [ search index=_internal sourcetype=scheduler earliest=-120d@d latest=@d\
    | stats count by savedsearch_name\
    | rename savedsearch_name as title ]\
| fillnull value=0 count\
| where count == 0\
| sort count

[[Volt Typhoon T-Codes per day] Hunt Tool]
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 3 * * *
description = shows the t-codes during the day
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart = area
display.visualizations.charting.drilldown = none
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = index=*\
```T-Codes during the day```\
mitre_technique_id IN (T1057,T1090,T1012,T1018,T1113,T1593,T1594,T1518,T1218,T1082,T1614,T1016,T1049,T1033,T1007,T1124,T1552,T1078,T1047) OR mitre_subtechnique_id IN (T1087.001,T1087.002,T1583.003,T1071.001,T1560.001,T1059.001,T1059.003,T1059.004,T1584.003,T1584.004,T1584.005,T1584.008,T1555.003,T1074.001,T1587.001,T1587.004,T1573.001,T1573.002,T1222.002,T1589.002,T1590.004,T1590.006,T1591.004,T1562.001,T1070.001,T1070.004,T1070.007,T1056.001,T1036.004,T1036.005,T1036.008,T1027.002,T1588.002,T1588.006,T1003.001,T1003.003,T1069.001,T1069.002,T1055.009,T1090.001,T1090.003,T1021.001,T1596.005,T1505.003,T1518.001,T1016.001,T1552.004,T1078.002,T1497.001) OR apt="Volt Typhoon" OR campaign="HIBL"\
| dedup _time\
```| stats count by mitre_technique_id```\
| timechart count

[[T0000] HIBL Bad IPs]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` id.orig_h IN ("27.102.113.57","27.102.113.240","27.102.114.55","27.102.115.51","27.102.129.120","107.148.165.158","154.233.135.214","172.86.106.15","172.86.105.194","167.172.96.199","43.133.146.74","43.133.146.74","103.77.192.1","45.155.91.266","49.7.205.232","112.26.45.226","207.211.171.189","14.255.53.122","195.24.207.233","45.161.176.192","45.140.192.46","45.148.10.81","164.92.120.53","63.135.53.251","45.63.75.43","198.210.73.106","83.78.221.191") OR id.resp_h IN ("27.102.113.57","27.102.113.240","27.102.114.55","27.102.115.51","27.102.129.120","107.148.165.158","154.233.135.214","172.86.106.15","172.86.105.194","167.172.96.199","43.133.146.74","43.133.146.74","103.77.192.1","45.155.91.266","49.7.205.232","112.26.45.226","207.211.171.189","14.255.53.122","195.24.207.233","45.161.176.192","45.140.192.46","45.148.10.81","164.92.120.53","63.135.53.251","45.63.75.43","198.210.73.106","83.78.221.191") OR server_name IN ("imap.newlylab.com","mail.reclubpress.com","imap.webdignusdata.com","freedecrease.com","aftercould.com","datacentreonline.com","game.newfreepre.com")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="HIBL IPs",\
mitre_category="Discovery",\
mitre_technique="Remote System Discovery",\
mitre_technique_id="T0000", \
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt="",\
campaign="HIBL",\
mitre_link="",\
creator="Cpl Iverson",\
upload_date="2024/12/06",\
last_modify_date="2024/12/06",\
mitre_version="v16",\
priority="Critical"\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id mitre_subtechnique_id mitre_subtechnique apt campaign hunting_trigger mitre_link upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1053] Scheduled Task - Process]
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
disabled = 0
enableSched = 1
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) \
(process_name="taskeng.exe" OR process_name="schtasks.exe" OR process_name="svchost.exe" NOT (process_parent_path="-" OR process_parent_path="C:\\Windows\\System32\\services.exe" OR *realtekservice*))\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.",\
mitre_category=mvappend("Persistence","Privilege_Escalation","Execution"),\
mitre_technique="Scheduled Task",\
mitre_technique_id="T1053",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="Earth Lusca",\
mitre_link="https://attack.mitre.org/techniques/T1053/",\
creator="Cpl Iverson",\
upload_date="2024-12-03",\
last_modify_date="2024-12-10",\
mitre_version="v16",\
priority=""\
| collect `jarvis_index`\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 8-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search

[[T1036] Masquerading - svchost]
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
disabled = 0
enableSched = 1
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="svchost.exe" NOT (process_parent_name="services.exe" OR process_parent_name="-" OR process_parent_name="MsMpEng.exe")) OR process_name="scvhost.exe"\
| eval hunting_trigger="parent child mismatch"\
| eval mitre_category="Defense_Evasion"\
| eval mitre_technique="Masquerading"\
| eval mitre_technique_id="T1036" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 6-59/15 * * * *
description = parent > child mismatch \
thanks to endgame
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search

[[T1027] Obfuscated Files or Information - (sysmon)]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\
https://attack.mitre.org/techniques/T1027/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` (RuleName="technique_id=T1027,technique_name=Obfuscated Files or Information" NOT process_command_line=*GoogleUpdater*)\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="sysmon - Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.",\
mitre_category="Defense_Evasion",\
mitre_technique="Obfuscated Files or Information",\
mitre_technique_id="T1027",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1027/",\
creator="Cpl Iverson",\
upload_date="2024/12/03",\
last_modify_date="2024/12/11",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id mitre_subtechnique_id mitre_subtechnique apt hunting_trigger mitre_link upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1047] Windows Management Instrumentation - Network]
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
enableSched = 1
search = `indextime` `sysmon` event_id=3 (process_name="wmic.exe" OR process_command_line="*wmic* ")\
| eval mitre_category="Execution" \
| eval mitre_technique="Windows Management Instrumentation" \
| eval mitre_technique_id="T1047" \
| eval hunting_trigger="Instances of wmic process" \
| `network_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn user_name process_path process_id process_parent_id process_command_line process_guid src_ip dst_ip dst_port src_host_name dst_host_name mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 13-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search

[[Volt Typhoon Event Logs] Hunt Tool]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 2 * * *
description = shows all t codes for the day with Volt Typhoon
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.page.search.mode = verbose
display.visualizations.show = 0
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `jarvis_index` mitre_technique_id IN (T1010,T1217,T1555,T1005,T1074,T1006,T1546,T1190,T1068,T1133,T1083,T1592,T1589,T1590,T1591,T1105,T1570,T1654,T1112,T1046,T1095,T1571,T1120,T1069,T1057,T1090,T1012,T1018,T1113,T1593,T1594,T1518,T1218,T1082,T1614,T1016,T1049,T1033,T1007,T1124,T1552,T1078,T1047) OR mitre_subtechnique_id IN (T1087.001,T1087.002,T1583.003,T1071.001,T1560.001,T1059.001,T1059.003,T1059.004,T1584.003,T1584.004,T1584.005,T1584.008,T1555.003,T1074.001,T1587.001,T1587.004,T1573.001,T1573.002,T1222.002,T1589.002,T1590.004,T1590.006,T1591.004,T1562.001,T1070.001,T1070.004,T1070.007,T1056.001,T1036.004,T1036.005,T1036.008,T1027.002,T1588.002,T1588.006,T1003.001,T1003.003,T1069.001,T1069.002,T1055.009,T1090.001,T1090.003,T1021.001,T1596.005,T1505.003,T1518.001,T1016.001,T1552.004,T1078.002,T1497.001) OR campaign="HIBL"\
| dedup _time

[[T1203] Exploitation for Client Execution - Unusual Child Process Creation]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1203/\
Analytic 2 - Unusual Child Process Creation
disabled = 0
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") AND (ParentImage= "\winword.exe" OR ParentImage= "\excel.exe" OR ParentImage= "\powerpnt.exe") NOT (Image=*system32* OR Image=*program files*)\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Unusual Child Process Creation",\
mitre_category="Execution",\
mitre_technique="Exploitation for Client Execution",\
mitre_technique_id="T1203",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
cve=mvappend("CVE-2020-0938","CVE-2020-1020"),\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1203/",\
creator="Cpl Iverson",\
upload_date="2024-12-11",\
last_modify_date="2024-12-11",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1203] Exploitation for Client Execution - logs related to application crashes]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1203/\
Analytic 1 - logs related to application crashes or unexpected behavior, which could signal an attempt to exploit vulnerabilities.
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` `windows-app` EventCode=1000\
| search application IN ("chrome.exe", "firefox.exe", "winword.exe", "excel.exe", "acrord32.exe", "flashplayer.exe")\
| stats count by application event_description\
| where event_description IN ("crash", "instability", "unexpected termination")\
| eval hash_sha256= lower(hash_sha256),\
mitre_category="Execution",\
mitre_technique="Exploitation for Client Execution",\
mitre_technique_id="T1203",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
cve=mvappend("CVE-2020-0938","CVE-2020-1020"),\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1203/",\
creator="Cpl Iverson",\
upload_date="2024-12-11",\
last_modify_date="2024-12-11",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1204.001] Malicious Link - Web-based network connections]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1204/001/\
Analytic 1 - Web-based network connections to suspicious destinations.
disabled = 0
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` sourcetype=network_connection\
| search process_name IN ("chrome.exe", "firefox.exe", "iexplore.exe", "msedge.exe") OR src_ip IN ("")\
hunting_trigger="Analytic 1 - Web-based network connections to suspicious destinations.",\
mitre_category="Execution",\
mitre_technique="User Execution",\
mitre_technique_id="T1204",\
mitre_subtechnique="Malicious Link", \
mitre_subtechnique_id="T1204.001",\
cve="CVE-2020-11023",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1204/001",\
creator="Cpl Iverson",\
upload_date="2024-12-11",\
last_modify_date="2024-12-11",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1137.006] Add-ins - (sysmon)]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\
https://attack.mitre.org/techniques/T1137/006/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` RuleName="technique_id=T1137.006,technique_name=Office Add-ins" NOT ("UmOutlookAddin.FormRegionAddin" OR "AdobeAcroOutlook.SendAsLink" OR "OscAddin.Connect" OR "TeamsAddin.FastConnect" OR "ac.activclient.oladdin")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="sysmon - Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.",\
mitre_category=mvappend("Persistence",""),\
mitre_technique="Office Application Startup",\
mitre_technique_id="T1137",\
mitre_subtechnique="Add-ins", \
mitre_subtechnique_id="T1137.006",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1137/006/",\
creator="Cpl Iverson",\
upload_date="2024/12/03",\
last_modify_date="2024/12/03",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id mitre_subtechnique_id mitre_subtechnique apt hunting_trigger mitre_link upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[Jarvis T-Codes Per MInute] Hunt Tool]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
auto_summarize = 1
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = 0 * * * *
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
schedule_priority = higher
schedule_window = auto
search = `jarvis_index`\
| eval mitre_category=split(mitre_category, "[ ,]")\
| mvexpand mitre_category\
| search mitre_category IN ("Initial_Access", "Execution", "Persistence", "Privilege_Escalation", "Defense_Evasion", "Credential_Access", "Discovery", "Lateral_Movement", "Collection", "Exfiltration", "Command_and_Control", "Impact")\
| stats count by _time, mitre_category\
| timechart span=15m sum(count) by mitre_category useother=false

[[Activity by time per day] Hunt Tool]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = 0 * * * *
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
schedule_priority = higher
schedule_window = auto
search = `jarvis_index`\
| eval mitre_category=split(mitre_category, "[ ,]")\
| mvexpand mitre_category\
| search mitre_category IN ("Initial_Access", "Execution", "Persistence", "Privilege_Escalation", "Defense_Evasion", "Credential_Access", "Discovery", "Lateral_Movement", "Collection", "Exfiltration", "Command_and_Control", "Impact")\
| stats count by _time, mitre_category\
| timechart span=15m sum(count) by mitre_category useother=false

[[APT 5 T-Codes per day] Hunt Tool]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 2 * * *
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = visualizations
display.page.search.mode = fast
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = area
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
search = index=* ```T-Codes during the day```\
mitre_technique_id IN(T1554,T1190,T1083,T1070,T1654,T1057,T1055,T1049,T1078.002) OR mitre_subtechnique_id IN(T1098.007,T1560.001,T1059.001,T1059.003,T1136.001,T1074.001,T1562.006,T1070.003,T1070.004,T1070.006,T1056.001,T1036.005,T1003.001,T1003.002,T1021.001,T1021.004,T1053.003,T1505.003,T1078.002,T1078.004) OR apt="APT5"\
| dedup _time\
| timechart span=1h count

[[T1218.010] Bypassing with Regsvr32]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 13-59/15 * * * *
description = https://attack.mitre.org/techniques/T1218/010/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) \
((process_name="regsvr32.exe" NOT (process_command_line=*TeamsMeetingAddin* OR *AccessibleMarshal* OR *RTHDASIO* OR *PrintConfig* OR *cui_dch*)) OR \
(process_name="rundll32.exe" OR (DavSetCookie AND http:) NOT (*StateRepositoryDoMaintenanceTasks* OR *PcaPatchSdbTask* OR *Startupscan.dll* OR *Adobe* OR *OneCore* OR *McAfee* OR *sysmonscript* OR *inetcpl* OR *EDGEHTML.dll*))) OR process_command_line="*scrobj*" NOT ("acproxy.dll" OR "shell32.dll" OR "acmigration.dll")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Clear command history in network OS which is used for defense evasion",\
mitre_category=mvappend("Defense_Evasion",""),\
mitre_technique="System Binary Proxy Execution",\
mitre_technique_id="T1218",\
mitre_subtechnique="Regsvr32", \
mitre_subtechnique_id="T1218.010",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1218/010/",\
creator="Cpl Iverson",\
upload_date="2024/11/20",\
last_modify_date="2024/12/04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1547.004] Winlogon Helper DLL]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 11-59/15 * * * *
description = https://attack.mitre.org/techniques/T1547/004/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` (event_id=12 OR event_id=13 OR event_id=14) (registry_key_path="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\user_nameinit\\*" OR registry_key_path="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*" OR registry_key_path="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\*") \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may abuse features of Winlogon to execute DLLs and or executables when a user logs in.",\
mitre_category="Persistence",\
mitre_technique="Boot or Logon Autostart Execution",\
mitre_technique_id="T1547",\
mitre_subtechnique="Winlogon Helper DLL", \
mitre_subtechnique_id="T1547.004",\
apt=mvappend("Tropic Trooper","Turla","Wizard Spider"),\
mitre_link="https://attack.mitre.org/techniques/T1547/004/",\
creator="Cpl Iverson",\
upload_date="2023-01-01",\
last_modify_date="2024-12-18",\
mitre_version="v16",\
priority=""\
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path  process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1547.010] Port Monitors]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 10-59/15 * * * *
description = https://attack.mitre.org/techniques/T1547/010/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` (event_id=12 OR event_id=13 OR event_id=14) (registry_key_path="*\\SYSTEM\CurrentControlSet\Control\Print\Monitors\\*")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.",\
mitre_category=mvappend("Persistence","Privilege_Escalation"),\
mitre_technique="Boot or Logon Autostart Execution",\
mitre_technique_id="T1547",\
mitre_subtechnique="Port Monitors", \
mitre_subtechnique_id="T1547.010",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1547/010/",\
creator="Cpl Iverson",\
upload_date="2023-01-01",\
last_modify_date="2024-12-18",\
mitre_version="v16",\
priority=""\
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path  process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1560] Archive Collected Data - Files Clone]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1560/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` `sysmon` event_id=11 (file_path="*.zip" OR file_path="*.rar" OR file_path="*.arj" OR (file_path="*.gz" NOT "WindowsApps\\MicrosoftTeams") OR file_path="*.tar" OR file_path="*.tgz" OR file_path="*.7z" OR file_path="*.zip" OR file_path="*.tar.gz" OR file_path="*.bin") \
| eval hunting_trigger="Archive Collected Data",\
mitre_category="Collection",\
mitre_technique="Archive Collected Data",\
mitre_technique_id="T1560", \
mitre_subtechnique="",\
mitre_subtechnique_id=""\
| `file_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description host_fqdn process_path process_guid process_id file_name file_path mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id\
| collect `jarvis_index`

[[T1047] Windows Management Instrumentation - Process]
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
enableSched = 1
search = `indextime` ((`sysmon` event_id=1) NOT CommandLine IN (*Acro*, *nessus*, *Chrome*, *Office*, *Firefox*, *Webex*, *sysmon*, *Edge*, *batteryreport*, *SMS_DesiredConfiguration*) OR (`windows-security` event_id=4688)) (process_parent_path="*\\wmiprvse.exe" OR process_name="wmic.exe" OR process_command_line="*wmic* ")\
| eval mitre_category="Execution" \
| eval mitre_technique="Windows Management Instrumentation" \
| eval mitre_technique_id="T1047" \
| eval hunting_trigger="Instances of wmiprvse" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search

[[T1059.001] Command and Scripting Powershell]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1059/001/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` (`windows-security` (EventCode=4104 OR EventCode=4688))\
| search CommandLine="*Invoke-Expression*" OR CommandLine="*Invoke-WebRequest*" OR CommandLine="*Invoke-Command*" OR CommandLine="*DownloadString*" OR CommandLine="*Start-Process*"\
| join type=inner [search index=* `windows-security` EventCode=4624 src_ip="192.0.2.*" OR src_ip="198.51.100.*"]\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="PowerShell commands commonly used by Volt Typhoon, such as Invoke-Expression, Invoke-WebRequest, Invoke-Command, DownloadString, and Start-Process",\
mitre_category="Execution",\
mitre_technique="Command and Scripting Interpreter",\
mitre_technique_id="T1059",\
mitre_subtechnique="PowerShell",\
mitre_subtechnique_id="T1059.001",\
apt="Volt Typhoon",\
mitre_link="https://medium.com/@esilvalabh/kql-xql-aql-and-splunk-scripts-use-cases-detecting-volt-typhoon-malware-in-critical-11dff4acf4bf",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2025-01-06",\
last_modify_date="2025-01-06",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1560] LOLBAS Chinese APT Creating a 7z Archive in temp]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1560/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` `windows-security` AND ((Image="*\\7z.exe" OR OriginalFileName="7z.exe") AND CommandLine="*a -p*" AND CommandLine="*c:\\windows\\temp\\*")\
``` name: LOLBAS Chinese APT Creating a 7z Archive in temp ```\
``` uuid: 805be6dd-20d2-42dc-b70a-b058ae83002b ```\
``` author: SIMKRA, @SIMKRA202 ```\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Detects the suspicious creation of a 7z achrive into the c:\windows\temp\ folder.",\
mitre_category="Collection",\
mitre_technique="OS Credential Dumping",\
mitre_technique_id="T1560",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt="Volt Typhoon",\
mitre_link="https://github.com/Schmouni242/Sigma-Rules/blob/main/LOLBAS%20Chinese%20APT%20Creating%20a%207z%20Archive%20in%20temp.yml",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2025-01-07",\
last_modify_date="2025-01-07",\
mitre_version="v16",\
priority="high"\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1059.001] LOLBAS Chinese APT PowerShell Hidden RAR Execution]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://github.com/Schmouni242/Sigma-Rules/blob/main/LOLBAS%20Chinese%20APT%20PowerShell%20Hidden%20RAR%20Execution.yml
dispatch.earliest_time = 1
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `windows-security` AND ((Image="*\\powershell.exe" OR OriginalFileName="powershell.exe") AND CommandLine="*start-process*" AND (CommandLine="*filepath c:\\windows\\temp\\*" AND CommandLine="*windowstyle Hidden rar.exe*"))\
``` name: LOLBAS Chinese APT PowerShell Hidden RAR Execution ```\
``` author: SIMKRA, @SIMKRA202 ```\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Detects the PowerShell command to hidden executes from a temp folder an a.bat with rar.exe.",\
mitre_category="Defense_Evasion",\
mitre_technique="Command and Scripting Interpreter",\
mitre_technique_id="T1059",\
mitre_subtechnique="PowerShell",\
mitre_subtechnique_id="T1059.001",\
apt="Volt Typhoon",\
mitre_link="https://github.com/Schmouni242/Sigma-Rules/blob/main/LOLBAS%20Chinese%20APT%20PowerShell%20Hidden%20RAR%20Execution.yml",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2025-01-07",\
last_modify_date="2025-01-07",\
mitre_version="v16",\
priority="high"\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1059.001] LOLBAS Chinese APT Succesful Logon on Host]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://github.com/Schmouni242/Sigma-Rules/blob/main/LOLBAS%20Chinese%20APT%20Succesful%20Logon%20on%20Host.yml
dispatch.earliest_time = 1
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `windows-security` AND ((Image="*\\powershell.exe" OR OriginalFileName="powershell.exe") AND CommandLine="*Get-EventLog*" AND (CommandLine="*Get-EventLog security -instanceid 4624*" OR CommandLine="*Get-Eventlog security*"))\
``` name: LOLBAS Chinese APT Succesful Logon on Host ```\
``` author: SIMKRA, @simonekrausora1 ```\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Detects the PowerShell command to identify successful logons to the host.",\
mitre_category="Execution",\
mitre_technique="Command and Scripting Interpreter",\
mitre_technique_id="T1059",\
mitre_subtechnique="PowerShell",\
mitre_subtechnique_id="T1059.001",\
apt="Volt Typhoon",\
mitre_link="https://github.com/Schmouni242/Sigma-Rules/blob/main/LOLBAS%20Chinese%20APT%20Succesful%20Logon%20on%20Host.yml",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2025-01-07",\
last_modify_date="2025-01-07",\
mitre_version="v16",\
priority="high"\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1021.006] Windows Remote Management]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 4-59/15 * * * *
description = https://attack.mitre.org/techniques/T1021/006/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="wsmprovhost.exe" OR process_name="winrm.cmd" OR process_command_line="*Enable-PSRemoting -Force*" OR process_command_line="*Invoke-Command -computer_name*" process_command_line="wmic*node*process call create*")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM).",\
mitre_category="Lateral_Movement",\
mitre_technique="Remote Services",\
mitre_technique_id="T1021",\
mitre_subtechnique="Windows Remote Management", \
mitre_subtechnique_id="T1021.006",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1021/006/",\
creator="Cpl Iverson",\
upload_date="2024-01-01",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority="high"\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1543.003] Windows Service]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 7-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="sc.exe" OR process_name="powershell.exe" OR process_name="cmd.exe") AND (process_command_line="*sc*config*binpath*")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence.",\
mitre_category=mvappend("Persistence","Privilege Escalation"),\
mitre_technique="Create or Modify System Process",\
mitre_technique_id="T1543",\
mitre_subtechnique="Windows Service", \
mitre_subtechnique_id="T1543.003",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1543/003/",\
creator="Cpl Iverson",\
upload_date="2024-01-01",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority="medium"\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1543.003] Windows Service - Process]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 8-59/15 * * * *
description = https://attack.mitre.org/techniques/T1543/003/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="sc.exe" OR process_name="powershell.exe" OR process_name="cmd.exe") AND (process_command_line="*New-Service*BinaryPathName*" OR process_command_line="*sc*create*binpath*" OR process_command_line="*Get-WmiObject*Win32_Service*create*")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence.",\
mitre_category=mvappend("Persistence","Privilege_Escalation"),\
mitre_technique="Create or Modify System Process",\
mitre_technique_id="T1543",\
mitre_subtechnique="Windows Service", \
mitre_subtechnique_id="T1543.003",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1543/003/",\
creator="Cpl Iverson",\
upload_date="2024-01-01",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1562.006] Indicator Blocking - Driver unloaded]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 7-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="fltmc.exe" OR process_command_line="*fltmc*unload*")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed.",\
mitre_category="Defense_Evasion",\
mitre_technique="Impair Defenses",\
mitre_technique_id="T1562",\
mitre_subtechnique="Indicator Blocking", \
mitre_subtechnique_id="T1562.006",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1562/006/",\
creator="Cpl Iverson",\
upload_date="2024-01-01",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1562.006] Indicator Blocking - Sysmon registry edited from other source]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 4-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` (event_id=12 OR event_id=13 OR event_id=14) (registry_key_path="HKLM\\System\\CurrentControlSet\\Services\\SysmonDrv\\*" OR registry_key_path="HKLM\\System\\CurrentControlSet\\Services\\Sysmon\\*" OR registry_key_path="HKLM\\System\\CurrentControlSet\\Services\\Sysmon64\\*") process_name!="Sysmon64.exe" process_name!="Sysmon.exe" \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Sysmon registry edited from other source",\
mitre_category="Defense_Evasion",\
mitre_technique="Impair Defenses",\
mitre_technique_id="T1562",\
mitre_subtechnique="Indicator Blocking", \
mitre_subtechnique_id="T1562.006",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1562/006/",\
creator="Cpl Iverson",\
upload_date="2024-01-01",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority=""\
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path  process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1562.006] Indicator Blocking - Unknown Sysmon Config loaded]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */8 * * * *
description = Make sure to keep trusted-sysmon-configurations.csv up to date
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` event_id=16 NOT [|inputlookup trusted-sysmon-configurations.csv | fields hash_sha1]\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Unknown Sysmon Config loaded",\
mitre_category="Defense_Evasion",\
mitre_technique="Impair Defenses",\
mitre_technique_id="T1562",\
mitre_subtechnique="Indicator Blocking", \
mitre_subtechnique_id="T1562.006",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1562/006/",\
creator="Cpl Iverson",\
upload_date="2023-01-01",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1547.001] Registry Run Keys or Start Folder]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 5-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` (event_id=12 OR event_id=13 OR event_id=14) (registry_key_path="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run*" OR registry_key_path="*\\Software\\Microsoft\\Windows\\CurrentVersion\Explorer\\*Shell Folders") NOT ("C:\\Program Files (x86)\\Microsoft\\Edge*" OR "AppData\\Local\\WebEx\\WebexHost.exe" OR "RunNotification\\StartupTNoti*" OR "RunOnce\\WAB Migrate" OR "C:\\Windows\\System32\\OneDriveSetup.exe" OR "C:\\Windows\\SysWOW64\\OneDriveSetup.exe" OR "AppData\\Local\\Microsoft\\Teams\\Update.exe")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.",\
mitre_category=mvappend("Persistence","Privilege_Escalation"),\
mitre_technique="Boot or Logon Autostart Execution",\
mitre_technique_id="T1547",\
mitre_subtechnique="Registry Run Keys / Startup Folder", \
mitre_subtechnique_id="T1547.001",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1547/001/",\
creator="Cpl Iverson",\
upload_date="2023-01-01",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority=""\
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path  process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1547.001] Registry Run Keys or Start Folder - Folder Changed]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 13-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` event_id=13 registry_key_path="HKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup" AND registry_key_details!="*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"  \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="User start folder changed",\
mitre_category=mvappend("Persistence","Privilege_Escalation"),\
mitre_technique="Boot or Logon Autostart Execution",\
mitre_technique_id="T1547",\
mitre_subtechnique="Registry Run Keys / Startup Folder", \
mitre_subtechnique_id="T1547.001",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1547/001/",\
creator="Cpl Iverson",\
upload_date="2023-01-01",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority=""\
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1574.002] DLL Side-Loading - PowerShell]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 3-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` event_id=7 (driver_loaded="*\\System.Management.Automation.ni.dll" OR driver_loaded="*\\System.Management.Automation.dll" OR driver_loaded="*\\PowerShdll.dll") NOT (process_name=*mscorsvw* ```process that is related to the Microsoft . NET Framework``` OR process_name="powershell.exe" OR process_name="powershell_ise.exe")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Possibly non-legit PowerShell",\
mitre_category=mvappend("Persistence","Privilege_Escalation","Defense_Evasion"),\
mitre_technique="Hijack Execution Flow",\
mitre_technique_id="T1574",\
mitre_subtechnique="DLL Side-Loading", \
mitre_subtechnique_id="T1574.002",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1574/002/",\
creator="Cpl Iverson",\
upload_date="2024-01-01",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority=""\
| `image_load_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description host_fqdn process_path driver_loaded driver_is_signed driver_signature driver_signature_status process_id process_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1574.002] DLL Side-Loading - WMI]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 4-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` event_id=7 (driver_loaded="wmiutils.dll") (process_path!="C:\\Windows\\*")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Possibly non-legit WMI use",\
mitre_category=mvappend("Persistence","Privilege_Escalation","Defense_Evasion"),\
mitre_technique="Hijack Execution Flow",\
mitre_technique_id="T1574",\
mitre_subtechnique="DLL Side-Loading", \
mitre_subtechnique_id="T1574.002",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1574/002/",\
creator="Cpl Iverson",\
upload_date="2024-01-01",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority=""\
| `image_load_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description host_fqdn process_path driver_loaded driver_is_signed driver_signature driver_signature_status process_id process_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1550.002] Pass the Hash NULL SID]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 4-59/15 * * * *
description = Windows EventID 4624
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `windows-security` event_id=4624 AND ((Security_ID="NULL SID" OR Security_ID="S-1-0-0") AND (Logon_Type="3") AND (Source_Network_Address != "*::1*") AND (Logon_Process="*NtLmSsp") AND (Package_Name__NTLM_only_="*NTLM V2") AND (Key_Length="0") AND (user != "*ANONYMOUS LOGON" OR Account_Name != "*ANONYMOUS LOGON")) \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="NULL SID used",\
mitre_category=mvappend("Defense_Evasion","Lateral_Movement"),\
mitre_technique="Use Alternate Authentication Material",\
mitre_technique_id="T1550",\
mitre_subtechnique="Pass the Hash", \
mitre_subtechnique_id="T1550.002",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1550/002/",\
creator="Cpl Iverson",\
upload_date="2024-01-01",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority=""\
| eval target_user_name=mvindex(Account_Name,1) \
| eval user_name=mvindex(Account_Name,0) \
| eval target_user_domain=mvindex(Account_Domain,1) \
| rename ComputerName as host_fqdn, Source_Network_Address as src_ip, Workstation_Name as src_host_name \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime,host_fqdn, user_sid, user_name src_host_name src_ip target_user_name target_user_domain mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1083] File and Directory Discovery]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1083/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` (`sysmon` OR `windows`) AND 'powershell /c' AND 'Get-PhysicalDisk'\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.",\
mitre_category="Discovery",\
mitre_technique="File and Directory Discovery",\
mitre_technique_id="T1083",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="Magic Hound",\
mitre_link="https://attack.mitre.org/techniques/T1083/",\
creator="Cpl Iverson",\
upload_date="2025-01-08",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1562] Impair Defenses]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1562/001/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` (`sysmon` OR `windows`) AND ('powershell.exe /c "Set-MpPreference -DisableRealtimeMonitoring $true"' OR 'powershell.exe /c "Set-Service -Name windefend -StartupType Disabled"' OR 'powershell.exe /c "Stop-Service -Name windefend"')\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.",\
mitre_category="Defense_Evasion",\
mitre_technique="Impair Defenses",\
mitre_technique_id="T1562",\
mitre_subtechnique="Disable or Modify Tools", \
mitre_subtechnique_id="T1562.001",\
apt="Magic Hound",\
mitre_link="https://attack.mitre.org/techniques/T1562/001/",\
creator="Cpl Iverson",\
upload_date="2025-01-08",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1087.003] Email Account]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1087/003
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` (`sysmon` OR `windows`) AND ('powershell /c' AND ('Get-ADUser -Filter * -Properties EmailAddress' OR 'Select-Object Name, EmailAddress') OR 'powershell /c Get-ADUser')\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).",\
mitre_category="Discovery",\
mitre_technique="Account Discovery",\
mitre_technique_id="T1087",\
mitre_subtechnique="Email Account", \
mitre_subtechnique_id="T1087.003",\
apt="Magic Hound",\
mitre_link="https://attack.mitre.org/techniques/T1087/003",\
creator="Cpl Iverson",\
upload_date="2025-01-08",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1137.001] Office Template Macros]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1137/001/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` (`sysmon` OR `windows`) AND *.docm\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. ",\
mitre_category="Persistence",\
mitre_technique="Office Application Startup",\
mitre_technique_id="T1137",\
mitre_subtechnique="Office Template Macros", \
mitre_subtechnique_id="T1137.001",\
apt="Magic Hound",\
mitre_link="https://attack.mitre.org/techniques/T1137/001/",\
creator="Cpl Iverson",\
upload_date="2025-01-08",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1078.001] Default Accounts]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1078/001/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` (`sysmon` OR `windows`) AND ('powershell.exe /c' AND 'net user DefaultAccount /active:yes')\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.",\
mitre_category=mvappend("Defense_Evasion","Persistence","Privilege_Escalation","Initial_Access"),\
mitre_technique="Valid Accounts",\
mitre_technique_id="T1078",\
mitre_subtechnique="Default Accounts", \
mitre_subtechnique_id="T1078.001",\
apt="Magic Hound",\
mitre_link="https://attack.mitre.org/techniques/T1078/001/",\
creator="Cpl Iverson",\
upload_date="2025-01-08",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1562] Impair Defenses MH]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1562/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` (`sysmon` OR `windows`) AND ('reg add' AND ('HKLM\SYSTEM\CurrentControlSet\Control\LSA' OR '/v RunAsPPL' OR '/t REG_DWORD /d 0 /f'))\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.",\
mitre_category="Defense_Evasion",\
mitre_technique="Impair Defenses",\
mitre_technique_id="T1562",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="Magic Hound",\
mitre_link="https://attack.mitre.org/techniques/T1562/",\
creator="Cpl Iverson",\
upload_date="2025-01-08",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1562.002] Disable Windows Event Logging]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1562/002/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` (`sysmon` OR `windows`) AND ("powershell.exe /c" AND 'auditpol /clear /y')\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits.",\
mitre_category="Defense_Evasion",\
mitre_technique="Impair Defenses",\
mitre_technique_id="T1562",\
mitre_subtechnique="Disable Windows Event Logging", \
mitre_subtechnique_id="T1562.002",\
apt="Magic Hound",\
mitre_link="https://attack.mitre.org/techniques/T1562/002/",\
creator="Cpl Iverson",\
upload_date="2025-01-08",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1562.001] Disable or Modify Tools]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1562/001/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` ((`sysmon` EventCode="1") OR (`windows-security` EventCode="4688")) (Image="C:\Windows\System32\sc.exe" (CommandLine="sc config" OR CommandLine="sc stop" OR CommandLine="sc query" )) OR (ServiceName="Windows Defender" OR ServiceName="Windows Firewall" AND ServiceName="stopped*")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.",\
mitre_category="Defense_Evasion",\
mitre_technique="Impair Defenses",\
mitre_technique_id="T1562",\
mitre_subtechnique="Disable or Modify Tools", \
mitre_subtechnique_id="T1562.001",\
apt="Magic Hound",\
mitre_link="https://attack.mitre.org/techniques/T1562/001",\
creator="Cpl Iverson",\
upload_date="2025-01-08",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1049] System Network Connections Discovery MH]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1049/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` (`sysmon` OR `windows`) AND ("quser.exe" OR "netstat -ano")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.",\
mitre_category="Discovery",\
mitre_technique="System Network Connections Discovery",\
mitre_technique_id="T1049",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt=mvappend("Volt Typhoon","Magic Hound"),\
mitre_link="https://attack.mitre.org/techniques/T1049/",\
creator="Cpl Iverson",\
upload_date="2025-01-08",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1560.001] Archive via Utility]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1560/001/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` (`sysmon` OR `windows`) AND ("powershell /c 'Compress-Archive" AND "zip")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration.",\
mitre_category="Collection",\
mitre_technique="Archive Collected Data",\
mitre_technique_id="T1560",\
mitre_subtechnique="Archive via Utility", \
mitre_subtechnique_id="T1560.001",\
apt="Magic Hound",\
mitre_link="https://attack.mitre.org/techniques/T1560/001/",\
creator="Cpl Iverson",\
upload_date="2025-01-08",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1486] Data Encrypted for Impact]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1486/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` (`sysmon` OR `windows`) AND ("schtasks /create /tn" OR "/ru SYSTEM")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.",\
mitre_category="Impact",\
mitre_technique="Data Encrypted for Impact",\
mitre_technique_id="T1486",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="Magic Hound",\
mitre_link="https://attack.mitre.org/techniques/T1486/",\
creator="Cpl Iverson",\
upload_date="2025-01-08",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1021.002] SMB/Windows Admin Shares - Process - Created]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="net.exe") AND (process_command_line="*net* share*$")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Share creation",\
mitre_category="Defense_Evasion",\
mitre_technique="Remote Services",\
mitre_technique_id="T1021",\
mitre_subtechnique="SMB/Windows Admin Shares", \
mitre_subtechnique_id="T1021.002",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1021/002/",\
creator="Cpl Iverson",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1021.002] SMB/Windows Admin Shares - Process]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 10-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="net.exe" OR process_name=powershell.exe) AND (process_command_line="*net* use*$" OR process_command_line="*net* session*$" OR process_command_line="*net* file*$" process_command_line=""*New-PSDrive*root*)\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).",\
mitre_category="Defense_Evasion",\
mitre_technique="Remote Services",\
mitre_technique_id="T1021",\
mitre_subtechnique="SMB/Windows Admin Shares", \
mitre_subtechnique_id="T1021.002",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1021/002/",\
creator="Cpl Iverson",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1021.002] Windows Admin Shares - Network]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 11-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` event_id=3 (process_name="net.exe") AND (process_command_line="*net* use*$" OR process_command_line="*net* session*$" OR process_command_line="*net* file*$")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).",\
mitre_category="Defense_Evasion",\
mitre_technique="Remote Services",\
mitre_technique_id="T1021",\
mitre_subtechnique="SMB/Windows Admin Shares", \
mitre_subtechnique_id="T1021.002",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1021/002/",\
creator="Cpl Iverson",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `network_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn user_name process_path process_id process_parent_id process_command_line process_guid src_ip dst_ip dst_port src_host_name dst_host_name mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1552.001] Credentials In Files]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 11-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_command_line="*findstr* /si pass*" OR process_command_line="*select-string -Pattern pass*" OR process_command_line="*list vdir*/text:password*")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.",\
mitre_category="Credential_Access",\
mitre_technique="Unsecured Credentials",\
mitre_technique_id="T1552",\
mitre_subtechnique="Credentials In Files", \
mitre_subtechnique_id="T1552.001",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1552/001/",\
creator="Cpl Iverson",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1059.001] PowerShell - sysmon]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 6-59/15 * * * *
description = Sysmon
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="powershell.exe" OR process_name="powershell_ise.exe" OR process_name="psexec.exe") NOT (*McAfee* OR *sysmonscript.ps1* OR *OCSP* OR *Bitlocker* OR *LogInsight* OR *DeliveryOptimizationStatus*)\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Sysmon script saying that there is powershell execution.",\
mitre_category="Execution",\
mitre_technique="Command and Scripting Interpreter",\
mitre_technique_id="T1059",\
mitre_subtechnique="PowerShell", \
mitre_subtechnique_id="T1059.001",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1059/001/",\
creator="Cpl Iverson",\
upload_date="2024-01-01",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1059.001] PowerShell Base64 block used]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 3-59/15 * * * *
description = Powershell Logging
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = | multisearch \
    [ search `indextime` `powershell` (event_id=400 OR event_id=500) \
    | eval MessageA=split(Message,"Details:") \
    | eval Short_Message=mvindex(MessageA,1) \
    | eval MessageA=split(Short_Message,"HostVersion=") \
    | eval MessageA=mvindex(MessageA,1) \
    | eval MessageB=split(MessageA,"HostId=") \
    | eval PS_Version=mvindex(MessageB,0) \
    | eval MessageC=mvindex(MessageB,1) \
    | eval MessageD=split(MessageC,"HostApplication=") \
    | eval Host_ID=mvindex(MessageD,0) \
    | eval MessageE=mvindex(MessageD,1) \
    | eval MessageF=split(MessageE,"EngineVersion=") \
    | eval Host_Application=mvindex(MessageF,0) \
    | eval MessageG=mvindex(MessageF,1) \
    | eval MessageH=split(MessageG,"RunspaceId=") \
    | eval Engine_Version=mvindex(MessageH,0) \
    | eval MessageJ=mvindex(MessageH,1) \
    | eval MessageP=split(MessageJ,"process_command_line=") \
    | eval Command_Line=mvindex(MessageP,1) \
    | rex field=Host_Application "(?<Base64_Data>.[a-zA-Z0-9]{25,1000}+={1})" \
    | fields _time host_fqdn, host, PS_Version, Engine_Version, Host_Application, base64_data, Command_Line | rename Command_Line as process_command_line, HostName as host_fqdn, Host_Application as process_path\
    | where NOT isnull(base64_data)]  \
    [ search `indextime` `windows-security` (event_id=4688) \
    | rex field=Process_Command_Line "(?<base64_data>.[a-zA-Z0-9]{25,1000}+={1})" \
    | fields _time host base64_data, Process_Command_Line | rename Process_Command_Line as process_command_line, HostName as host_fqdn\
    | where NOT isnull(base64_data)] \
    [ search `indextime` `sysmon` (event_id=1) process_name="powershell.exe" \
    | rex field=process_command_line "(?<base64_data>.[a-zA-Z0-9//+]{25,1000}+={1})" \
    | fields _time host_fqdn base64_data, process_command_line, process_path, user_name \
    | where NOT isnull(base64_data)] \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Base64 block used",\
mitre_category="Execution",\
mitre_technique="Command and Scripting Interpreter",\
mitre_technique_id="T1059",\
mitre_subtechnique="PowerShell", \
mitre_subtechnique_id="T1059.001",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1059/001/",\
creator="Cpl Iverson",\
upload_date="2024-01-01",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority=""\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime, host_fqdn, base64_data, PS_Version, Engine_Version, Host_Application, process_command_line, process_path, user_name mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1059.001] PowerShell Downloads - Process]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 6-59/15 * * * *
description = Sysmon
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_command_line="*.Download*" OR process_command_line="*Net.WebClient*") \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Download or web connection",\
mitre_category="Execution",\
mitre_technique="Command and Scripting Interpreter",\
mitre_technique_id="T1059",\
mitre_subtechnique="PowerShell", \
mitre_subtechnique_id="T1059.001",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1059/001/",\
creator="Cpl Iverson",\
upload_date="2024-01-01",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1548.002] Bypass User Account Control - Process]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 13-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_parent_path="*\\eventvwr.exe" OR process_parent_path="*\\fodhelper.exe") \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.",\
mitre_category=mvappend("Privilege Escalation","Defense Evasion"),\
mitre_technique="Abuse Elevation Control Mechanism",\
mitre_technique_id="T1548",\
mitre_subtechnique="Bypass User Account Control", \
mitre_subtechnique_id="T1548.002",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1548/002/",\
creator="Cpl Iverson",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1548.002] Bypass User Account Control - Registry]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 2-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` (event_id=12 OR event_id=13 OR event_id=14) (registry_key_path="*\\mscfile\\shell\\open\\command\\*" OR registry_key_path="*\\ms-settings\\shell\\open\\command\\*") AND (user_sid!="S-1-5-18" OR user_sid!="S-1-5-19" OR user_sid!="S-1-5-20")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may bypass UAC for Registry",\
mitre_category=mvappend("Privilege Escalation","Defense Evasion"),\
mitre_technique="Abuse Elevation Control Mechanism",\
mitre_technique_id="T1548",\
mitre_subtechnique="Bypass User Account Control", \
mitre_subtechnique_id="T1548.002",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1548/002/",\
creator="Cpl Iverson",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path  process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1562.001] Disabling Security Tools - Sysmon service was terminated]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 3-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `windows-security` EventCode=7034 Message="*Sysmon*"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Sysmon service was terminated",\
mitre_category="Defense_Evasion",\
mitre_technique="Impair Defenses",\
mitre_technique_id="T1562",\
mitre_subtechnique="Disable or Modify Tools", \
mitre_subtechnique_id="T1562.001",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1562/001/",\
creator="Cpl Iverson",\
upload_date="2024-01-01",\
last_modify_date="2024-01-09",\
mitre_version="v16",\
priority=""\
| rename ComputerName as Computer Message as State \
| eval indextime = _indextime | convert ctime(indextime) | table Computer State mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1562.001] Disabling Security Tools - Sysmon service state change]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 1-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = | multisearch [search `indextime` `sysmon` event_id=4 State!=Started | fields _time host_fqdn service_state] [search `indextime` `windows-security` event_id=7036 Message="*Sysmon*" \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Sysmon state change",\
mitre_category="Defense_Evasion",\
mitre_technique="Impair Defenses",\
mitre_technique_id="T1562",\
mitre_subtechnique="Disable or Modify Tools", \
mitre_subtechnique_id="T1562.001",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1562/001/",\
creator="Cpl Iverson",\
upload_date="2024-01-01",\
last_modify_date="2024-01-09",\
mitre_version="v16",\
priority=""\
| rename HostName as host_fqdn Message as service_state | fields host_fqdn service_state] | eval indextime = _indextime | convert ctime(indextime) | table _time indextime host_fqdn service_state mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1562.001] Disabling Security Tools - Service stopped]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 10-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name=net.exe OR process_name=sc.exe) cmdline="* stop *"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Service stopped",\
mitre_category="Defense_Evasion",\
mitre_technique="Impair Defenses",\
mitre_technique_id="T1562",\
mitre_subtechnique="Disable or Modify Tools", \
mitre_subtechnique_id="T1562.001",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1562/001/",\
creator="Cpl Iverson",\
upload_date="2024-01-01",\
last_modify_date="2024-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1055.012] Process Hollowing]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 12-59/15 * * * *
description = parent > child mismatch \
thanks to endgame
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="smss.exe" NOT (process_parent_name="smss.exe"  OR process_parent_name="-")) OR (process_name="csrss.exe" AND (process_parent_name!="smss.exe" AND process_parent_name!="svchost.exe")) OR (process_name="wininit.exe" NOT (process_parent_name="-" OR process_parent_name="smss.exe")) OR (process_name="winlogon.exe" AND process_parent_name!="smss.exe") OR (process_name == "lsass.exe" and parent_process_name != "wininit.exe") OR (process_name="LogonUI.exe" NOT (process_parent_name="-" OR process_parent_name="winlogon.exe" OR process_parent_name="wininit.exe")) OR (process_name="services.exe" AND process_parent_name!= "wininit.exe") OR (process_name="spoolsv.exe" AND process_parent_name!= "services.exe") OR (process_name="taskhost.exe" AND (process_parent_name!="" AND process_parent_name!="services.exe" AND process_parent_name!="svchost.exe")) OR (process_name="taskhostw.exe" AND (process_parent_name!="-" AND process_parent_name!="services.exe" AND process_parent_name!="svchost.exe")) OR (process_name="userinit.exe" NOT (process_parent_name="dwm.exe" OR process_parent_name="winlogon.exe"))\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="parent child mismatch",\
mitre_category=mvappend("Defense_Evasion","Privilege_Escalation"),\
mitre_technique="Process Injection",\
mitre_technique_id="T1055",\
mitre_subtechnique="Process Hollowing", \
mitre_subtechnique_id="T1055.012",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1055/012/",\
creator="Cpl Iverson",\
upload_date="2023-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1055.012] Process Hollowing - commandline]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */8 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_command_line="" OR process_command_line=$$process_path$$)\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="possible hollowed process",\
mitre_category=mvappend("Defense_Evasion","Privilege_Escalation"),\
mitre_technique="Process Injection",\
mitre_technique_id="T1055",\
mitre_subtechnique="Process Hollowing", \
mitre_subtechnique_id="T1055.012",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1055/012/",\
creator="Cpl Iverson",\
upload_date="2023-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1055.012] Process Hollowing - office commandline]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 2-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_parent_name="winword.exe" OR process_parent_name="excel.exe" OR process_parent_name="outlook.exe") process_command_line="C:\\Program Files\\Microsoft Office\\*-enc*"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="possible hollowed process",\
mitre_category=mvappend("Defense_Evasion","Privilege_Escalation"),\
mitre_technique="Process Injection",\
mitre_technique_id="T1055",\
mitre_subtechnique="Process Hollowing", \
mitre_subtechnique_id="T1055.012",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1055/012/",\
creator="Cpl Iverson",\
upload_date="2023-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1564.004] NTFS File Attributes]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 13-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) process_name="fsutil.exe" proces_command_line="*usn*deletejournal*" \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="MFT/USN modification",\
mitre_category="Defense_Evasion",\
mitre_technique="Hide Artifacts",\
mitre_technique_id="T1564",\
mitre_subtechnique="NTFS File Attributes", \
mitre_subtechnique_id="T1564.004",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1564/004/",\
creator="Cpl Iverson",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1550.003] Pass the ticket]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `windows-security` (EventCode=4771 OR EventCode=4768 OR EventCode=4769) Failure_Code=0x1F\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may pass the ticket using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls.",\
eval mitre_category=mvappend("Defense Evasion","Lateral Movement"),\
eval mitre_technique="Use Alternate Authentication Material",\
eval mitre_technique_id = "T1550",\
mitre_subtechnique="Pass the Ticket",\
mitre_subtechnique_id="T1550.003",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1550/003/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1547.005] Security Support Provider]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */8 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` (event_id=12 OR event_id=13 OR event_id=14) (registry_key_path="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\process_path File Execution Options\\LSASS.exe") \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots.",\
mitre_category=mvappend("Persistence","Privilege_Escalation"),\
mitre_technique="Boot or Logon Autostart Execution",\
mitre_technique_id="T1547",\
mitre_subtechnique="Security Support Provider", \
mitre_subtechnique_id="T1547.005",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1547/005/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path  process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1070.004] File Deletion]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 14-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_command_line="*remove-item*" OR process_command_line="vssadmin*Delete Shadows /All /Q*" OR process_command_line="*wmic*shadowcopy delete*" OR process_command_line="*wbdadmin* delete catalog -q*" OR process_command_line="*bcdedit*bootstatuspolicy ignoreallfailures*" OR process_command_line="*bcdedit*recoveryenabled no*")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may delete files left behind by the actions of their intrusion activity.",\
mitre_category="Defense_Evasion",\
mitre_technique="Indicator Removal",\
mitre_technique_id="T1070",\
mitre_subtechnique="File Deletion", \
mitre_subtechnique_id="T1070.004",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1070/004/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1218.010] Regsvr32 - Network]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 1-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` event_id=3 (process_parent_path="*\\regsvr32.exe" OR process_path="*\\regsvr32.exe") \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may abuse Regsvr32.exe to proxy execution of malicious code.",\
mitre_category="Defense_Evasion",\
mitre_technique="System Binary Proxy Execution",\
mitre_technique_id="T1218",\
mitre_subtechnique="Regsvr32", \
mitre_subtechnique_id="T1218.010",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1218/010/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `network_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn user_name process_path process_id process_parent_id process_command_line process_guid src_ip dst_ip dst_port src_host_name dst_host_name mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1218.004] InstallUtil]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 2-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="InstallUtil.exe" OR process_command_line="*\/logfile= \/LogToConsole=false \/U*")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility.",\
mitre_category="Defense_Evasion",\
mitre_technique="System Binary Proxy Execution",\
mitre_technique_id="T1218",\
mitre_subtechnique="InstallUtil", \
mitre_subtechnique_id="T1218.004",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1218/004/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1218.009] Regsvcs/Regasm]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 3-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="regsvcs.exe" OR process_name="regasm.exe")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility.",\
mitre_category="Defense_Evasion",\
mitre_technique="System Binary Proxy Execution",\
mitre_technique_id="T1218",\
mitre_subtechnique="Regsvcs/Regasm", \
mitre_subtechnique_id="T1218.009",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1218/009/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1070.005] Network Share Connection Removal]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 3-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="net.exe" AND process_command_line="*net* delete*") OR process_command_line="*Remove-SmbShare*" OR process_command_line="*Remove-FileShare*"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Share removal",\
mitre_category="Defense_Evasion",\
mitre_technique="Indicator Removal",\
mitre_technique_id="T1070",\
mitre_subtechnique="Network Share Connection Removal", \
mitre_subtechnique_id="T1070.005",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1070/005/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1546.007] Netsh Helper DLL - Process]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 5-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="netsh.exe" AND process_command_line="*helper*")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs.",\
mitre_category=mvappend("Privilege Escalation","Persistence"),\
mitre_technique="Event Triggered Execution",\
mitre_technique_id="T1546",\
mitre_subtechnique="Netsh Helper DLL", \
mitre_subtechnique_id="T1546.007",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1546/007/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1546.007] Netsh Helper DLL - Registry]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 10-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` (event_id=12 OR event_id=13 OR event_id=14) (registry_key_path="*\\SOFTWARE\Microsoft\Netsh\\*") \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs.",\
mitre_category=mvappend("Privilege Escalation","Persistence"),\
mitre_technique="Event Triggered Execution",\
mitre_technique_id="T1546",\
mitre_subtechnique="Netsh Helper DLL", \
mitre_subtechnique_id="T1546.007",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1546/007/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path  process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1553.004] Install Root Certificate]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 6-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` (event_id=12 OR event_id=13 OR event_id=14) process_name!="svchost.exe" AND (registry_key_path="*\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\*" OR registry_key_path="*\\Microsoft\\SystemCertificates\\Root\\Certificates\\*")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.",\
mitre_category="Defense_Evasion",\
mitre_technique="Subvert Trust Controls",\
mitre_technique_id="T1553",\
mitre_subtechnique="Install Root Certificate", \
mitre_subtechnique_id="T1553.004",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1553/004/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `registry_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description event_type host_fqdn process_path  process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1547.002] Authentication Package]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 6-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` (event_id=12 OR event_id=13 OR event_id=14)  (registry_key_path="*\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\*") AND NOT (process_path="C:\\WINDOWS\\system32\\lsass.exe" OR process_path="C:\\Windows\\system32\\svchost.exe" OR process_path="C:\\Windows\\system32\\services.exe")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="dversaries may abuse authentication packages to execute DLLs when the system boots.",\
mitre_category=mvappend("Persistence","Privilege Escalation"),\
mitre_technique="Boot or Logon Autostart Execution",\
mitre_technique_id="T1547",\
mitre_subtechnique="Authentication Package", \
mitre_subtechnique_id="T1547.002",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1547/002/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path  process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1546.011] Application Shimming - FileAccess]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 6-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` event_id=11 (file_path="C:\\Windows\\AppPatch\\Custom\\*")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="File Access - Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.",\
mitre_category="Privilege_Escalation","Persistence",\
mitre_technique="Event Triggered Execution",\
mitre_technique_id="T1546",\
mitre_subtechnique="Application Shimming", \
mitre_subtechnique_id="T1546.011",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/TT1546/011",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `file_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description host_fqdn process_path file_path process_guid process_id mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1546.011] Application Shimming - Process]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 5-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) process_name="sdbinst.exe" \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Process - Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.",\
mitre_category="Privilege_Escalation","Persistence",\
mitre_technique="Event Triggered Execution",\
mitre_technique_id="T1546",\
mitre_subtechnique="Application Shimming", \
mitre_subtechnique_id="T1546.011",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/TT1546/011",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1546.011] Application Shimming - Registry]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 7-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` (event_id=12 OR event_id=13 OR event_id=14) (registry_key_path="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\\*") \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Registry - Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.",\
mitre_category="Privilege_Escalation","Persistence",\
mitre_technique="Event Triggered Execution",\
mitre_technique_id="T1546",\
mitre_subtechnique="Application Shimming", \
mitre_subtechnique_id="T1546.011",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/TT1546/011",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `registry_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description event_type host_fqdn process_path  process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1146] Clear Command History]
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
disabled = 0
enableSched = 1
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_command_line="*rm (Get-PSReadlineOption).HistorySavePath*" OR process_command_line="*del (Get-PSReadlineOption).HistorySavePath*" OR process_command_line="*Set-PSReadlineOption –HistorySaveStyle SaveNothing*" OR process_command_line="*Remove-Item (Get-PSReadlineOption).HistorySavePath*") \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.",\
mitre_category="Defense_Evasion",\
mitre_technique="Indicator Removal",\
mitre_technique_id="T1070",\
mitre_subtechnique="Clear Command History", \
mitre_subtechnique_id="T1070.003",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1070/003/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist` \
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search

[[T1070.003] Clear Command History]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 12-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_command_line="*rm (Get-PSReadlineOption).HistorySavePath*" OR process_command_line="*del (Get-PSReadlineOption).HistorySavePath*" OR process_command_line="*Set-PSReadlineOption –HistorySaveStyle SaveNothing*" OR process_command_line="*Remove-Item (Get-PSReadlineOption).HistorySavePath*") \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.",\
mitre_category="Defense_Evasion",\
mitre_technique="Indicator Removal",\
mitre_technique_id="T1070",\
mitre_subtechnique="Clear Command History", \
mitre_subtechnique_id="T1070.003",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1070/003/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist` \
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1564.001] Hidden Files and Directories - VSS]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 10-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_path="*\\VolumeShadowCopy*\\*" OR process_commandline="*\\VolumeShadowCopy*\\*")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="VolumeShadowCopy execution",\
mitre_category="Defense_Evasion",\
mitre_technique="Hide Artifacts",\
mitre_technique_id="T1564",\
mitre_subtechnique="Hidden Files and Directories", \
mitre_subtechnique_id="T1564.001",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1564/001",\
creator="Cpl Parks",\
last_tested="",\
upload_date="2024-08-18",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1564.001] Hidden Files and Directories]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 13-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) process_name="attrib.exe" AND ( process_command_line="*+h*" OR process_command_line="*+s*")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may set files and directories to be hidden to evade detection mechanisms.",\
mitre_category="Defense_Evasion",\
mitre_technique="Hide Artifacts",\
mitre_technique_id="T1564",\
mitre_subtechnique="Hidden Files and Directories", \
mitre_subtechnique_id="T1564.001",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1564/001",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1218.005] MSHTA - FileAccess]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 2-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` (event_id=11 or event_id=15) (file_path="*.hta") \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility.",\
mitre_category="Defense_Evasion",\
mitre_technique="System Binary Proxy Execution",\
mitre_technique_id="T1218",\
mitre_subtechnique="Mshta", \
mitre_subtechnique_id="T1218.005",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1218/005",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `file_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path file_path process_guid process_id mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1218.005] MSHTA - Network]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 1-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` event_id=3 (process_parent_path="*\\mshta.exe" OR process_path="*\\mshta.exe") \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Network - Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility.",\
mitre_category="Defense_Evasion",\
mitre_technique="System Binary Proxy Execution",\
mitre_technique_id="T1218",\
mitre_subtechnique="Mshta", \
mitre_subtechnique_id="T1218.005",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1218/005",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `network_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn user_name process_path process_id process_parent_id process_command_line process_guid src_ip dst_ip dst_port src_host_name dst_host_name mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1218.005] MSHTA - Process]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */8 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_parent_path="*\\mshta.exe" OR process_name="mshta.exe") \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Process - Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility.",\
mitre_category="Defense_Evasion",\
mitre_technique="System Binary Proxy Execution",\
mitre_technique_id="T1218",\
mitre_subtechnique="Mshta", \
mitre_subtechnique_id="T1218.005",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1218/005",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1056.004] Credential API Hooking]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 13-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) process_name="mavinject.exe" OR process_command_line="*/INJECTRUNNING*" \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may hook into Windows application programming interface (API) functions to collect user credentials.",\
mitre_category=mvappend("Collection","Credential_Access"),\
mitre_technique="Input Capture",\
mitre_technique_id="T1056",\
mitre_subtechnique="Credential API Hooking", \
mitre_subtechnique_id="T1056.004",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1056/004",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1546.002] Screensaver]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 1-59/15 * * * *
description = thanks to Endgame
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` (event_id=12 OR event_id=13 OR event_id=14) (registry_key_path="*\\Control Panel\\Desktop\\SCRNSAVE.EXE") AND (process_parent_name!="explorer.exe" OR process_name!="rundll32.exe" OR process_command_line!="*shell32.dll,Control_RunDLL desk.cpl,ScreenSaver,*")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may establish persistence by executing malicious content triggered by user inactivity.",\
mitre_category=mvappend("Privilege_Escalation","Persistence"),\
mitre_technique="Event Triggered Execution",\
mitre_technique_id="T1546",\
mitre_subtechnique="Screensaver", \
mitre_subtechnique_id="T1546.002",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1546/002/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path  process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1546.009] AppCert DLLs]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 8-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` (event_id=12 OR event_id=13 OR event_id=14) (registry_key_path="*\\System\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls\\*")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.",\
mitre_category=mvappend("Privilege_Escalation","Persistence"),\
mitre_technique="Event Triggered Execution",\
mitre_technique_id="T1546",\
mitre_subtechnique="AppCert DLLs", \
mitre_subtechnique_id="T1546.009",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1546/009/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path  process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1566.001] Spearphishing Attachment - Opened]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 14-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` event_id=13 registry_key_path="*trustrecords*" OR registry_key_path="*TargetObject=*Software\\Microsoft\\VBA\\7.1\\Common*" \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Macro enabled for document",\
mitre_category="Initial_Access",\
mitre_technique="Phishing",\
mitre_technique_id="T1566",\
mitre_subtechnique="Spearphishing Attachment", \
mitre_subtechnique_id="T1566.001",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1566/001/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1218.002] Control Panel - Registry]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 11-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` (event_id=12 OR event_id=13 OR event_id=14) (registry_key_path="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace*" OR registry_key_path="*\\Software\\Microsoft\\Windows\\CurrentVersion\\Controls Folder\\*\\Shellex\\PropertySheetHandlers\\*" OR registry_key_path="*\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\*") \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may abuse control.exe to proxy execution of malicious payloads.",\
mitre_category="Defense_Evasion",\
mitre_technique="System Binary Proxy Execution",\
mitre_technique_id="T1218",\
mitre_subtechnique="Control Panel", \
mitre_subtechnique_id="T1218.002",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1218/002/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path  process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1218.002] Control Panel - Process]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 10-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_command_line="*control* \/name*" OR process_command_line="rundll32* shell32.dll,Control_RunDLL") \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may abuse control.exe to proxy execution of malicious payloads.",\
mitre_category="Defense_Evasion",\
mitre_technique="System Binary Proxy Execution",\
mitre_technique_id="T1218",\
mitre_subtechnique="Control Panel", \
mitre_subtechnique_id="T1218.002",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1218/002/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1558.003] Kerberoasting]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 8-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `windows-security` EventCode=4769 Ticket_Encryption_Type=0x17  Service_ID!=NONE_MAPPED Account_Name!="sa_*"\
| transaction Account_Name maxpause=60s maxevents=500\
| where eventcount>10\
|where Service_ID>1\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.",\
mitre_category="Credential_Access",\
mitre_technique="Steal or Forge Kerberos Tickets",\
mitre_technique_id="T1558",\
mitre_subtechnique="Kerberoasting", \
mitre_subtechnique_id="T1558.003",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1558/003/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table  Account_Name Service_ID eventcount mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1547.003] Time Providers]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 2-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` (event_id=12 OR event_id=13 OR event_id=14) (registry_key_path="*\\System\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\*")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may abuse time providers to execute DLLs when the system boots.",\
mitre_category="Defense_Evasion",\
mitre_technique="Boot or Logon Autostart Execution",\
mitre_technique_id="T1547",\
mitre_subtechnique="Time Providers", \
mitre_subtechnique_id="T1547.003",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1547/003/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path  process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1552.002] Credentials in Registry]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 7-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688) OR (`powershell` event_id=4104)) (process_command_line="*reg* query HKLM \/f password \/t REG_SZ \/s*" OR process_command_line="reg* query HKCU \/f password \/t REG_SZ \/s" OR process_command_line="*Get-UnattendedInstallFile*" OR process_command_line="*Get-Webconfig*" OR process_command_line="*Get-ApplicationHost*" OR process_command_line="*Get-SiteListPassword*" OR process_command_line="*Get-CachedGPPPassword*" OR process_command_line="*Get-RegistryAutoLogon*") OR (ScriptBlockText="reg query /f password /t REG_SZ /s*")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may search the Registry on compromised systems for insecurely stored credentials.",\
mitre_category="Credential_Access",\
mitre_technique="Unsecured Credentials",\
mitre_technique_id="T1552",\
mitre_subtechnique="Credentials in Registry", \
mitre_subtechnique_id="T1552.002",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1552/002/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1552.002] Compiled HTML File]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 3-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) process_name="hh.exe"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may search the Registry on compromised systems for insecurely stored credentials.",\
mitre_category="Credential_Access",\
mitre_technique="Unsecured Credentials",\
mitre_technique_id="T1552",\
mitre_subtechnique="Credentials in Registry", \
mitre_subtechnique_id="T1552.002",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1552/002/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1566.001] Spearphishing Attachment]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 12-59/15 * * * *
description = Test search from email origins to replace Original search
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` event_id=11 (process_path=*OUTLOOK* OR process_path=*yahoo* OR *gmail*) (file_path="*.docm" OR file_path="*.xlsm" OR file_path="*.pptm" OR file_path="*.ps1" OR file_path="*.py" OR file_path="*.js" OR file_path="*.vbs" OR file_path="*.hta" OR file_path="*.bat" OR file_path="*.slk" OR file_path="*.jspx" OR file_path="*.cmd" OR file_path="*.php" OR file_path="*.pyw" OR file_path="*.xla" OR file_path="*.application" OR file_path="*.potm" OR file_path="*.csproj" OR file_path="*.aspx" OR file_path="*.exe") \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="normal - Potentially malicious file saved",\
mitre_category="Initial_Access",\
mitre_technique="Phishing",\
mitre_technique_id="T1566",\
mitre_subtechnique="Spearphishing Attachment", \
mitre_subtechnique_id="T1566.001",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1566/001/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `file_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path process_guid process_id file_name file_path mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1021.001] Remote Services_Analytic_1]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1021/001
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` `windows-security` EventCode IN (4624, 4634, 4647, 4778, 4779)\
| search LogonType=10 // RDP Interactive Logon\
| eval is_suspicious=if((user!="expected_users") AND (dest_ip!="expected_servers"), "True", "False")\
| where is_suspicious="True"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Analytic 1",\
mitre_category="Lateral_Movement",\
mitre_technique="Remote Services",\
mitre_technique_id="T1021",\
mitre_subtechnique="Remote Desktop Protocol",\
mitre_subtechnique_id="T1021.001",\
apt=mvappend("APT1","APT3","APT39","APT41","APT5","Agrius","Aquatic Panda","Axiom","Blue Mockingbird","Chimera","Cobalt Group","Dragonfly","FIN10","FIN13","FIN6","FIN7","FIN8","Fox Kitten","HEXANE","INC Ransom","Indrik Spider","Kimsuky","Lazarus Group","Leviathan","Magic Hound","OilRig","Patchwork","Silence","Volt Typhoon","Wizard Spider","menuPass"),\
mitre_link="https://attack.mitre.org/techniques/T1021/001/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1021.001] Remote Services_Analytic_4]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1021/001
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` sourcetype=netflow LogonType="10"\
| search dest_port=3389 // Default RDP port\
| stats count by src_ip, dest_ip, dest_port\
| where src_ip!="trusted_ips" AND dest_ip!="internal_servers"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Suspicious RDP",\
mitre_category="Lateral_Movement",\
mitre_technique="Remote Services",\
mitre_technique_id="T1021",\
mitre_subtechnique="Remote Desktop Protocol",\
mitre_subtechnique_id="T1021.001",\
apt=mvappend("APT1","APT3","APT39","APT41","APT5","Agrius","Aquatic Panda","Axiom","Blue Mockingbird","Chimera","Cobalt Group","Dragonfly","FIN10","FIN13","FIN6","FIN7","FIN8","Fox Kitten","HEXANE","INC Ransom","Indrik Spider","Kimsuky","Lazarus Group","Leviathan","Magic Hound","OilRig","Patchwork","Silence","Volt Typhoon","Wizard Spider","menuPass"),\
mitre_link="https://attack.mitre.org/techniques/T1021/001/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1518.001] Security Software Discovery]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 7-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="netsh.exe" OR process_name="reg.exe" OR process_name="tasklist.exe") NOT (process_command_line="*interface tcp show global") AND (process_command_line="*reg* query*" OR process_command_line="*tasklist *" OR process_command_line="*netsh*" OR process_command_line="*fltmc*|*findstr*") NOT (process_command_line="*Adobe*")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.",\
mitre_category="Discovery",\
mitre_technique="Software Discovery",\
mitre_technique_id="T1518",\
mitre_subtechnique="Security Software Discovery", \
mitre_subtechnique_id="T1518.001",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1518/001/",\
creator="Cpl Iverson",\
upload_date="2023-01-01",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1087] Account Discovery]
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
disabled = 0
display.general.type = statistics
display.page.search.tab = statistics
enableSched = 1
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="net.exe" OR process_name="powershell.exe") AND (process_command_line="*net* user*" OR process_command_line="*net* group*" OR process_command_line="*net* localgroup*" OR process_command_line="cmdkey*\/list*" process_command_line="*get-localuser*" OR process_command_line="*get-localgroupmembers*" OR process_command_line="*get-aduser*" OR process_command_line="query*user*")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may attempt to get a listing of local system accounts.",\
mitre_category="Discovery",\
mitre_technique="Account Discovery",\
mitre_technique_id="T1087",\
mitre_subtechnique="Local Account", \
mitre_subtechnique_id="T1087.001",\
eval apt=mvappend("Volt Typhoon","APT28"),\
mitre_link="https://attack.mitre.org/techniques/T1087/001/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 13-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search

[[T1047] WMI command execution]
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
disabled = 0
enableSched = 1
search = `indextime` `sysmon` event_id=20 wmi_consumer_type="Command Line" \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="WMI command execution" ,\
mitre_category="Execution",\
mitre_technique="Windows Management Instrumentation",\
mitre_technique_id="T1047",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="APT29",\
mitre_link="https://attack.mitre.org/techniques/T1047/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `wmi_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description host_fqdn user_name wmi_consumer_name wmi_consumer_destination mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 14-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto

[[T1047] Windows Management Instrumentation - Look for wmic.exeexecution]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 14-59/15 * * * *
description = https://attack.mitre.org/techniques/T1047/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` `windows-security` OR `sysmon`\
| eval CommandLine=coalesce(CommandLine, ParentCommandLine)\
| eval ProcessName=lower(ProcessName), CommandLine=lower(CommandLine)\
| search ProcessName IN ("wmic.exe", "powershell.exe", "wbemtool.exe", "wmiprvse.exe", "wmiadap.exe", "scrcons.exe")\
| search CommandLine IN ("process call create", "shadowcopy delete", "process start", "createobject")\
| stats count by _time, ComputerName, User, ProcessName, CommandLine, ParentProcessName, ParentCommandLine, dest, src_ip, dest_ip\
| eval alert_message="Suspicious WMI activity detected: " + ProcessName + " executed by " + User + " on " + ComputerName + " with command: " + CommandLine\
| where NOT (User="SYSTEM" OR ProcessName="wmiprvse.exe" OR CommandLine="wmic shadowcopy delete" AND src_ip="trusted_ip_range")\
| table _time, ComputerName, User, ProcessName, CommandLine, ParentProcessName, ParentCommandLine, src_ip, dest_ip, alert_message\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Analytic 1 - Look for wmic.exeexecution with arguments indicative of remote process creation." ,\
mitre_category="Execution",\
mitre_technique="Windows Management Instrumentation",\
mitre_technique_id="T1047",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="APT29",\
mitre_link="https://attack.mitre.org/techniques/T1047/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2025-01-12",\
last_modify_date="2025-01-12",\
mitre_version="v16",\
priority="medium"\
| `wmi_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description host_fqdn user_name wmi_consumer_name wmi_consumer_destination mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1047] WMI - Detect wmic.exeprocess]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 14-59/15 * * * *
description = https://attack.mitre.org/techniques/T1047/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` `windows-security` (EventCode=4688 OR EventCode=4656 OR EventCode=4103 OR EventCode=800) \
| eval command_line = coalesce(CommandLine, ParentCommandLine) \
| where (ProcessName="wmic.exe" AND (command_line LIKE "%/node:%" OR command_line LIKE "%process call create%"))OR (command_line LIKE "Invoke-WmiMethod" OR command_line LIKE "Get-WmiObject" OR command_line LIKE "gwmi" OR command_line LIKE "win32_process")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Analytic 1 - Detect wmic.exeprocess creation with command lines containing process call create or /node:." ,\
mitre_category="Execution",\
mitre_technique="Windows Management Instrumentation",\
mitre_technique_id="T1047",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="APT29",\
mitre_link="https://attack.mitre.org/techniques/T1047/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2025-01-12",\
last_modify_date="2025-01-12",\
mitre_version="v16",\
priority="medium"\
| `wmi_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description host_fqdn user_name wmi_consumer_name wmi_consumer_destination mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1047] WMI - WMI object creation events]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 14-59/15 * * * *
description = https://attack.mitre.org/techniques/T1047/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` sourcetype="WinEventLog:Microsoft-Windows-WMI-Activity/Operational" (EventCode=5861 OR EventCode=5857 OR EventCode=5858) \
| eval CommandLine = coalesce(CommandLine, ParentCommandLine) \
| where (EventCode=5861 AND (CommandLine LIKE "create" OR CommandLine LIKE "process")) OR (EventCode=5857 AND (CommandLine LIKE "exec" OR CommandLine LIKE "invoke")) OR (EventCode=5858 AND (CommandLine LIKE "payload" OR CommandLine LIKE "wmic"))\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Analytic 1 - Detect wmic.exeprocess creation with command lines containing process call create or /node:." ,\
mitre_category="Execution",\
mitre_technique="Windows Management Instrumentation",\
mitre_technique_id="T1047",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="APT29",\
mitre_link="https://attack.mitre.org/techniques/T1047/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2025-01-12",\
last_modify_date="2025-01-12",\
mitre_version="v16",\
priority="medium"\
| `wmi_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description host_fqdn user_name wmi_consumer_name wmi_consumer_destination mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1021.001] Remote Desktop Protocol - Process]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 8-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="tscon.exe" OR process_name="mstsc.exe") \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Process - Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.",\
mitre_category="Lateral_Movement",\
mitre_technique="Remote Services",\
mitre_technique_id="T1021",\
mitre_subtechnique="Remote Desktop Protocol", \
mitre_subtechnique_id="T1021.001",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1021/001/",\
creator="Cpl Iverson",\
upload_date="2024-01-01",\
last_modify_date="2025-01-08",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T0000] Bad IPs]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` 149.88.26.221 OR 156.146.62.133 OR 110.133.252.162 OR 43.157.20.43 OR 149.102.246.50 OR 146.70.188.243 OR 149.102.246.30 OR 146.70.185.74 OR 54.38.63.235\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="IPs from Volt Typhoon",\
mitre_category="Discovery",\
mitre_technique="Remote System Discovery",\
mitre_technique_id="T0000",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="Volt Typhoon",\
mitre_link="",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-05",\
last_modify_date="2025-01-12",\
mitre_version="v16",\
priority="Critical"\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id mitre_subtechnique_id mitre_subtechnique apt campaign hunting_trigger mitre_link upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T0000] Named Pipes - CobaltStrike]
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
disabled = 0
enableSched = 1
search = `indextime` `sysmon` event_id=17 pipe_name="*msagent_*" \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Default CobaltStrike pipe name",\
mitre_category="Lateral_Movement",\
mitre_technique="Named Pipes",\
mitre_technique_id="T0000",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2023-01-01",\
last_modify_date="2025-01-12",\
mitre_version="v16",\
priority="high"\
| `pipe_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description host_fqdn pipe_name process_path process_guid process_id mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 5-59/15 * * * *
description = default CobaltStrike pipe name
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_view = search

[[Event IDs To Watch] - Hunt Tool]
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 22 * * *
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = visualizations
display.visualizations.charting.chart = pie
enableSched = 1
schedule_window = auto
search = index=* EventCode=4698 OR EventCode=4720 OR EventCode=4769 OR EventCode=5140 OR EventCode=7045 OR EventCode=4648 OR EventCode=4658 OR EventCode=4660 OR EventCode=4663 OR EventCode=4672 OR EventCode=4673 OR EventCode=4946 OR EventCode=5142 OR EventCode=5144 OR EventCode=5145 OR EventCode=5154 OR EventCode=5156 OR EventCode=5447 OR EventCode=8222 OR EventCode=7036 OR EventCode=4634 OR EventCode=4648 OR EventCode=4656 OR EventCode=4658 OR EventCode=4660 OR EventCode=4663 OR EventCode=4672 OR EventCode=4673 OR EventCode=4688 OR EventCode=4689 OR EventCode=4720 OR EventCode=4768 OR EventCode=4769 OR EventCode=4946 OR EventCode=5140 OR EventCode=5142 OR EventCode=5144 OR EventCode=5145 OR EventCode=5154 OR EventCode=5156 OR EventCode=5447 OR EventCode=8222 OR EventCode=7036 OR EventCode=7035\
| stats count by EventCode

[[Network Types] - Network Tool]
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 0 * * *
description = shows the amount of each protocol
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = visualizations
display.visualizations.charting.chart = pie
display.visualizations.charting.drilldown = none
enableSched = 1
schedule_window = auto
search = index=* sourcetype=zeek* | stats count by sourcetype

[[zeek 1D] Stats Tool]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
search = |tstats count where index=zeek* by _time | reverse

[[Common IP] Network Tool]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
description = most common IP outside of our inside range
search = index=zeek* id.resp_h!=137.233.* id.resp_h!=10.* id.resp_h!=172.* id.resp_h!=192.168.*\
| stats count by id.resp_h\
| sort - count\
| head

[[Files Ran]  - Host Tool]
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 2 * * *
description = shows all of the commands ran by users on the network
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = visualizations
display.statistics.drilldown = none
display.visualizations.charting.chart = line
display.visualizations.charting.drilldown = none
enableSched = 1
schedule_window = auto
search = index=* `sysmon` (Image=*.exe OR Image=*.vbs OR Image=*.doc OR Image=*.txt OR Image=*.ps1 OR Image=*.dll OR Image=*.eval OR Image=*.xls OR Image=*.ova OR Image=*.py OR Image=*.vdk OR Image=*.iso) NOT Image=*svchost.exe \
| `process_create_whitelist`\
| `process_access_whitelist`\
| stats count by process_exec\
| sort - count\
| eval count=tostring('count',"commas")

[[T0000] Named Pipes]
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
disabled = 0
enableSched = 1
search = `indextime` `sysmon` event_id=17 (pipe_name="*isapi_http*" OR pipe_name="*isapi_dg*" OR pipe_name="*isapi_dg2*" OR pipe_name="*isapi_http*" OR pipe_name="*sdlrpc*" OR pipe_name="*aheec*" OR pipe_name="*winsession*" OR pipe_name="*lsassw*" OR pipe_name="*rpchlp_3*" OR pipe_name="*NamePipe_MoreWindows*" OR pipe_name="*pcheap_reuse*" OR pipe_name="*PSEXESVC*" OR pipe_name="*PowerShellISEPipeName_*" OR pipe_name="*csexec*" OR pipe_name="*paexec*" OR pipe_name="*remcom*")  \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Suspicious or known bad pipe names",\
mitre_category="Lateral_Movement",\
mitre_technique="Remote Services",\
mitre_technique_id="T1021",\
mitre_subtechnique="SMB/Windows Admin Shares", \
mitre_subtechnique_id="T1021.002",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1021/002/",\
creator="",\
last_tested="",\
upload_date="2023-01-01",\
last_modify_date="2025-01-12",\
mitre_version="v16",\
priority=""\
| `pipe_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description host_fqdn pipe_name process_path process_guid process_id mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 6-59/15 * * * *
description = suspicious or known bad pipe names
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_view = search

[[T0000] Remotely Query Login Sessions - Network]
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
disabled = 0
enableSched = 1
search = `indextime` `sysmon` event_id=3 (process_name="qwinsta.exe")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Remotely Query Login Session - qwinsta.exe",\
mitre_category="Discovery",\
mitre_technique="Remotely Query Login Sessions",\
mitre_technique_id="T0000",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="",\
creator="",\
last_tested="",\
upload_date="2023-01-01",\
last_modify_date="2025-01-12",\
mitre_version="v16",\
priority=""\
| `network_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description host_fqdn user_name process_path process_id process_guid src_ip dst_ip dst_port src_host_name dst_host_name initiated transport mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 4-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search

[[T0000] Remotely Query Login Sessions - Process]
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
disabled = 0
enableSched = 1
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="qwinsta.exe")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Remotely Query Login Sessions",\
mitre_category="Discovery",\
mitre_technique="Remotely Query Login Sessions",\
mitre_technique_id="T0000",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="",\
creator="",\
last_tested="",\
upload_date="2023-01-01",\
last_modify_date="2025-01-12",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 3-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search

[[T0000] Suspicious filename used]
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
disabled = 0
enableSched = 1
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name=a.exe OR process_name=b.exe OR process_name=c.exe OR process_name=d.exe OR process_name=e.exe OR process_name=f.exe OR process_name=g.exe OR process_name=h.exe OR process_name=i.exe OR process_name=j.exe OR process_name=k.exe OR process_name=l.exe OR process_name=m.exe OR process_name=n.exe OR process_name=o.exe OR process_name=p.exe OR process_name=q.exe OR process_name=r.exe OR process_name=s.exe OR process_name=t.exe OR process_name=u.exe OR process_name=v.exe OR process_name=w.exe OR process_name=x.exe OR process_name=y.exe OR process_name=z.exe OR process_name=1.exe OR process_name=2.exe OR process_name=3.exe OR process_name=4.exe OR process_name=5.exe OR process_name=6.exe OR process_name=7.exe OR process_name=8.exe OR process_name=9.exe OR process_name=0.exe OR process_name=10.exe) \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="single character filename - hackers being lazy",\
mitre_category="Execution",\
mitre_technique="Suspicious filename",\
mitre_technique_id="T0000",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="",\
creator="",\
last_tested="",\
upload_date="2023-01-01",\
last_modify_date="2025-01-12",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid file_description mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 4-59/15 * * * *
description = Suspicious filename
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_view = search

[[T1003.001] OS Credential Dumping_Analytic_1]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1003/001
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` `powershell` EventCode=4104 Image="powershell.exe" CommandLine IN ("Invoke-Mimikatz", "procdump.exe -ma lsass", "rundll32.exe comsvcs.dll, MiniDump", "taskmgr.exe* /dump")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Unauthorized command execution of LSASS memory.",\
mitre_category="Credential_Access",\
mitre_technique="OS Credential Dumping",\
mitre_technique_id="T1003",\
mitre_subtechnique="LSASS Memory",\
mitre_subtechnique_id="T1003.001",\
apt=mvappend("APT1","APT28","APT3","APT32","APT33","APT39","APT41","APT5","Agrius","Aquatic Panda","BRONZE BUTLER","Blue Mockingbird","Cleaver","Earth Lusca","Ember Bear","FIN13","FIN6","FIN8","Fox Kitten","GALLIUM","HAFNIUM","Indrik Spider","Ke3chang","Kimsuky","Leafminer","Leviathan","Magic Hound","Moonstone Sleet","MuddyWater","OilRig","PLATINUM","Play","RedCurl","Sandworm Team","Silence","Threat Group-3390","Volt Typhoon","Whitefly","Wizard Spider"),\
mitre_link="https://attack.mitre.org/techniques/T1003/001/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1003.003] LOLBAS Chinese APT Credential Dumping as McAffee Logs]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` `windows-security` AND ((Image="*\\cmd.exe" OR OriginalFileName="cmd.exe") AND CommandLine="*/c wmic process call create*" AND (CommandLine="*cmd.exe /c mkdir C:\\windows\\Temp\\McAfee_Logs*" OR CommandLine="*& ntdsutil \\\"ac i ntds\\\" ifm \\\"create full C:\\Windows\\Temp\\McAfee_Logs\\*"))\
``` author: SIMKRA, @SIMKRA202 ```\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Detects the credential dumping, creating a McAffe_Log folder.",\
mitre_category=mvappend("Credential_Access","Defense_Evasion"),\
mitre_technique="Credential Dumping",\
mitre_technique_id="T1003",\
mitre_subtechnique="NTDS",\
mitre_subtechnique_id="T1003.003",\
apt="Volt Typhoon",\
mitre_link="https://github.com/Schmouni242/Sigma-Rules/blob/main/LOLBAS%20Chinese%20APT%20Credential%20Dumping%20as%20McAffee%20Logs.yml",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2025-01-07",\
last_modify_date="2025-01-07",\
mitre_version="v16",\
priority="high"\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1003.003] LOLBAS Chinese APT Credential Dumping to ADMIN localhost]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` `windows-security` AND ((Image="*\\cmd.exe" OR OriginalFileName="cmd.exe") AND CommandLine="*/c wmic process call create*" AND (CommandLine="*\"cmd.exe /c mkdir C:\\Windows\\Temp\\tmp*" OR CommandLine="*& ntdsutil \\\"ac i ntds\\\" ifm \\\"create full C:\\Windows\\Temp\\tmp\\\" 1\> \\127.0.0.1\\ADMIN$\\ 2\>&1*"))\
``` name: LOLBAS Chinese APT Credential Dumping to ADMIN localhost ```\
``` author: SIMKRA, @SIMKRA202 ```\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Detects the credential dumping, creating a dump in the ADMIN tmp.",\
mitre_category=mvappend("Credential_Access","Defense_Evasion"),\
mitre_technique="Credential Dumping",\
mitre_technique_id="T1003",\
mitre_subtechnique="NTDS",\
mitre_subtechnique_id="T1003.003",\
apt="Volt Typhoon",\
mitre_link="https://github.com/Schmouni242/Sigma-Rules/blob/main/LOLBAS%20Chinese%20APT%20Credential%20Dumping%20to%20ADMIN%20localhost.yml",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2025-01-07",\
last_modify_date="2025-01-07",\
mitre_version="v16",\
priority="high"\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1003] Credential Dumping - Process]
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
cron_schedule = */8 * * * *
disabled = 0
enableSched = 1
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) process_command_line="*Invoke-Mimikatz -DumpCreds*" OR process_command_line="gsecdump* -a" OR process_command_line="wce* -o" OR process_command_line="procdump* -ma lsass.exe*" OR process_command_line="ntdsutil*ac i ntds*ifm*create full"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password.",\
mitre_category="Credential_Access",\
mitre_technique="OS Credential Dumping",\
mitre_technique_id="T1003",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1003/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-12",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search

[[T1003] Credential Dumping - Process Access]
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
disabled = 0
enableSched = 1
search = `indextime` `sysmon` (event_id=10) (target_process_path="C:\\Windows\\system32\\lsass.exe") AND (process_granted_access=0x1010 OR process_granted_access=0x1410 OR process_granted_access=0x147a OR process_granted_access=0x143a) process_call_trace="C:\\Windows\\SYSTEM32\\ntdll.dll\*|C:\\Windows\\system32\\KERNELBASE.dll*|UNKNOWN(*)"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Potentially Mimikatz",\
mitre_category="Credential_Access",\
mitre_technique="OS Credential Dumping",\
mitre_technique_id="T1003",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1003",\
creator="",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-12",\
mitre_version="v16",\
priority=""\
| `process_access_whitelist` \
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path target_process_path process_granted_access process_guid target_process_guid process_id target_process_id process_granted_access_description mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
action.threat_add.param.verbose = 0
alert.track = 0
cron_schedule = 7-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search

[[T1003] Credential Dumping - Registry]
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
disabled = 0
enableSched = 1
search = `indextime` `sysmon` (event_id=12 OR event_id=13 OR event_id=14) process_path!="C:\\WINDOWS\\system32\\lsass.exe"  (registry_key_path="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Provider\\*" OR registry_key_path="*\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\*" OR registry_key_path="*\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SecurityProviders\\*" OR registry_key_path="*\\Control\\SecurityProviders\\WDigest\\*") NOT registry_key_path="*\\Lsa\\RestrictRemoteSamEventThrottlingWindow" NOT registry_key_path="*\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\nolmhash" \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Registry - Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password.",\
mitre_category="Credential_Access",\
mitre_technique="OS Credential Dumping",\
mitre_technique_id="T1003",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1003/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-12",\
mitre_version="v16",\
priority=""\
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path  process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 8-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search

[[T1003] Credential Dumping - Registry Save]
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
disabled = 0
enableSched = 1
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) process_name=reg.exe (process_command_line="*save*HKLM\\sam*" OR process_command_line="*save*HKLM\\system*") \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Reg dump SAM/System db",\
mitre_category="Credential_Access",\
mitre_technique="OS Credential Dumping",\
mitre_technique_id="T1003",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1003/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2023-01-01",\
last_modify_date="2025-01-12",\
mitre_version="v16",\
priority="" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 11-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search

[[T1003] Credential Dumping ImageLoad]
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
disabled = 0
enableSched = 1
search = `indextime` `sysmon` event_id=7 (driver_loaded="C:\\Windows\\System32\\samlib.dll" OR driver_loaded="C:\\Windows\\System32\\WinSCard.dll" OR driver_loaded="C:\\Windows\\System32\\cryptdll.dll" OR driver_loaded="C:\\Windows\\System32\\hid.dll" OR driver_loaded="C:\\Windows\\System32\\vaultcli.dll") (process_path!="*\\Sysmon.exe" process_path!="*\\svchost.exe" process_path!="*\\logonui.exe")\
| transaction process_guid maxspan=5s\
| eval keep = mvcount(driver_loaded)\
| search keep > 3\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Credential Dumping ImageLoad - Probably Mimikatz",\
mitre_category="Credential_Access",\
mitre_technique="OS Credential Dumping",\
mitre_technique_id="T1003",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1003/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2023-01-01",\
last_modify_date="2025-01-12",\
mitre_version="v16",\
priority="" \
| `image_load_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description host_fqdn process_path driver_loaded driver_is_signed driver_signature driver_signature_status process_id process_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority mitre_technique_id hunting_trigger\
| collect `jarvis_index`
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 5-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
schedule_window = auto
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search

[[T1003] OS Credential Dumping - (sysmon)]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password.\
https://attack.mitre.org/techniques/T1003/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` RuleName="technique_id=T1003,technique_name=Credential Dumping"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="sysmon - Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password.",\
mitre_category="Credential_Access",\
mitre_technique="OS Credential Dumping",\
mitre_technique_id="T1003",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1003/",\
creator=mvappend("Cpl Iverson","LCpl Parks"),\
last_tested="",\
upload_date="2024-07-22",\
last_modify_date="2025-01-12",\
mitre_version="v16",\
priority="" \
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1003] OS Credential Dumping - Active Directory Object Access]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 5-59/15 * * * *
description = Analytic 1 - Suspicious Replication Requests\
https://attack.mitre.org/techniques/T1003/
dispatch.earliest_time = 1
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `windows-security` EventCode="4662" AND AccessMask= "0x100" AND (guid= "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" OR guid= "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" OR guid= "9923a32a-3607-11d2-b9be-0000f87a36b2" OR guid= "89e95b76-444d-4c62-991a-0facbeda640c")\
| transaction process_guid maxspan=5s\
| eval keep = mvcount(driver_loaded)\
| search keep > 3\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="NTDSv2",\
mitre_category="Credential_Access",\
mitre_technique="OS Credential Dumping",\
mitre_technique_id="T1003",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1003/",\
creator="",\
last_tested="",\
upload_date="2023-01-01",\
last_modify_date="2025-01-12",\
mitre_version="v16",\
priority="" \
| `image_load_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description host_fqdn process_path driver_loaded driver_is_signed driver_signature driver_signature_status process_id process_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1003] OS Credential Dumping - Command Execution]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0-59/15 * * * *
description = Analytic 1 - Suspicious command execution involving credential dumping tools.\
https://attack.mitre.org/techniques/T1003/
dispatch.earliest_time = -15m@m
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = ThreatHunting
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) process_command_line="*Invoke-Mimikatz -DumpCreds*" OR process_command_line="gsecdump* -a" OR process_command_line="wce* -o" OR process_command_line="procdump* -ma lsass.exe*" OR process_command_line="ntdsutil*ac i ntds*ifm*create full"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="NTDSv2",\
mitre_category="Credential_Access",\
mitre_technique="OS Credential Dumping",\
mitre_technique_id="T1003",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1003/",\
creator="",\
last_tested="",\
upload_date="2023-01-01",\
last_modify_date="2025-01-12",\
mitre_version="v16",\
priority="" \
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid parent_user_name mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `threathunting_index`

[[T1003] OS Credential Dumping - Network Traffic Flow]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 5-59/15 * * * *
description = Analytic 1 - Unusual network communication patterns.\
https://attack.mitre.org/techniques/T1003/
dispatch.earliest_time = 1
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` sourcetype="stream:tcp" dest_port=389 NOT [| inputlookup known_dc_ip_addresses | fields ip]\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Unexpected memory dump file creation",\
mitre_category="Credential_Access",\
mitre_technique="OS Credential Dumping",\
mitre_technique_id="T1003",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1003/",\
creator="",\
last_tested="",\
upload_date="2023-01-01",\
last_modify_date="2025-01-12",\
mitre_version="v16",\
priority="" \
| `image_load_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path driver_loaded driver_is_signed driver_signature driver_signature_status process_id process_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1003] OS Credential Dumping - File Creation]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 5-59/15 * * * *
description = Analytic 1 - Unexpected memory dump file creation.\
https://attack.mitre.org/techniques/T1003/
dispatch.earliest_time = 1
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`windows-security` EventCode=4663 ObjectName IN ("lsass.dmp", "\config\SAM", "\ntds.dit", "\policy\secrets", "\cache"))OR (index=security sourcetype="linux_secure" (key="path" value IN ("/etc/passwd", "/etc/shadow")))OR (index=security sourcetype="macOS:UnifiedLog" message IN ("/var/db/shadow/hash/*", "/private/etc/master.passwd"))\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Unexpected memory dump file creation",\
mitre_category="Credential_Access",\
mitre_technique="OS Credential Dumping",\
mitre_technique_id="T1003",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1003/",\
creator="",\
last_tested="",\
upload_date="2023-01-01",\
last_modify_date="2025-01-12",\
mitre_version="v16",\
priority="" \
| `image_load_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path driver_loaded driver_is_signed driver_signature driver_signature_status process_id process_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1003] OS Credential Dumping - File Access]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 5-59/15 * * * *
description = Analytic 1 - Unauthorized access to credential storage files.\
https://attack.mitre.org/techniques/T1003/
dispatch.earliest_time = 1
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`windows-security` EventCode=4663 ObjectName IN ("\config\SAM", "\ntds.dit", "\policy\secrets", "\cache"))OR (index=security sourcetype="auditd" (key="path" (value IN ("/etc/passwd", "/etc/shadow")) OR key="proctitle" value IN ("cat", "strings", "grep", "awk", "cut", "sed", "sort", "uniq", "head", "tail", "less", "more")))OR(index=security sourcetype="macOS:UnifiedLog" (process IN ("cat", "grep", "awk", "cut", "sed", "sort", "uniq", "head", "tail", "less", "more") OR message IN ("/etc/passwd", "/etc/shadow", "/var/db/shadow/hash/*", "/private/etc/master.passwd")))\
| eval hunting_trigger="Unauthorized access to credential storage files"\
| eval mitre_category="Credential_Access"\
| eval mitre_technique="Credential Dumping"\
| eval mitre_technique_id="T1003" \
| `image_load_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path driver_loaded driver_is_signed driver_signature driver_signature_status process_id process_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1057] Process Discovery_Analytic_1]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 3-59/15 * * * *
description = https://attack.mitre.org/techniques/T1057/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") (Image="C:\Windows\\hostname.exe" OR Image="C:\Windows\\ipconfig.exe" OR Image="C:\Windows\\net.exe" OR Image="C:\Windows\\quser.exe" OR Image="C:\Windows\\qwinsta.exe" OR (Image="C:\Windows\\sc.exe" AND (CommandLine=" query " OR CommandLine=" qc ")) OR Image="C:\Windows\\systeminfo.exe" OR Image="C:\Windows\\tasklist.exe" OR Image="C:\Windows\*\whoami.exe")|stats values(Image) as "Images" values(CommandLine) as "Command Lines" by ComputerName\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Host Discovery Commands",\
mitre_category="Discovery",\
mitre_technique="Process Discovery",\
mitre_technique_id="T1057",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=mvappend("APT1","APT28","APT3","APT37","APT38","APT5","Andariel","Chimera","Darkhotel","Deep Panda","Earth Lusca","Gamaredon Group","HAFNIUM","HEXANE","Higaisa","Inception","Ke3chang","Kimsuky","Lazarus Group","Magic Hound","Molerats","MuddyWater","Mustang Panda","OilRig","Play","Poseidon Group","Rocke","Sidewinder","Stealth Falcon","TeamTNT","ToddyCat","Tropic Trooper","Turla","Volt Typhoon","Windshift","Winnti Group"),\
mitre_link="https://attack.mitre.org/techniques/T1057/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1059.003] Command and Scripting Interpreter_Analytic_3]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1059/003/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") AND CommandLine="cmd.exe" AND (CommandLine REGEXP "./c." OR CommandLine REGEXP ".._ \/k.*")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Unusual Command Execution",\
mitre_category="Execution",\
mitre_technique="Command and Scripting Interpreter",\
mitre_technique_id="T1059",\
mitre_subtechnique="Windows Command Shell",\
mitre_subtechnique_id="T1059.003",\
apt=mvappend("APT1","APT18","APT28","APT3","APT32","APT37","APT38","APT41","APT5","Agrius","Aquatic Panda","BRONZE BUTLER","Blue Mockingbird","Chimera","Cinnamon Tempest","Cobalt Group","Dark Caracal","Darkhotel","Dragonfly","FIN10","FIN13","FIN6","FIN7","FIN8","Fox Kitten","GALLIUM","Gamaredon Group","Gorgon Group","HAFNIUM","Higaisa","INC Ransom","Indrik Spider","Ke3chang","Kimsuky","Lazarus Group","LazyScripter","Machete","Magic Hound","Metador","MuddyWater","Mustang Panda","Nomadic Octopus","OilRig","Patchwork","Play","Rancor","RedCurl","Saint Bear","Silence","Sowbug","Suckfly","TA505","TA551","TA577","TeamTNT","Threat Group-1314","Threat Group-3390","ToddyCat","Tropic Trooper","Turla","Volt Typhoon","Winter Vivern","Wizard Spider","ZIRCONIUM","admin@338","menuPass"),\
mitre_link="https://attack.mitre.org/techniques/T1059/003/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1059] Command and Scripting Interpreter - CE]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = Command Execution
dispatch.earliest_time = 1
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`windows-security` OR `sysmon` OR sourcetype=linux_secure OR sourcetype=linux_audit OR sourcetype=mac_os_log OR sourcetype=azure:audit OR sourcetype=o365:audit)| search Image IN ("bash", "sh", "cmd", "powershell", "python", "java", "perl", "ruby", "node", "osascript", "wmic")| eval suspicious_cmds=if(like(command_line, "%Invoke-Obfuscation%") OR like(command_line, "%-EncodedCommand%") OR like(command_line, "%IEX%") OR like(command_line, "%wget%") OR like(command_line, "%curl%"), "Yes", "No")\
| eval mitre_category="Execution"\
| eval mitre_technique="Command-Line Interface"\
| eval mitre_technique_id="T1059" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1070] Suspicious Eventlog Clearing]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
description = Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic".\
    This technique were seen used by threat actors and ransomware strains in order to evade defenses.
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `windows-security` AND ((Image="*\\wevtutil.exe" AND (CommandLine="*clear-log *" OR CommandLine="* cl *" OR CommandLine="*set-log *" OR CommandLine="* sl *" OR CommandLine="*lfn:*")) OR ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe") AND (CommandLine="*Clear-EventLog *" OR CommandLine="*Remove-EventLog *" OR CommandLine="*Limit-EventLog *" OR CommandLine="*Clear-WinEvent *")) OR ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\wmic.exe") AND CommandLine="*ClearEventLog*")) AND  NOT (((ParentImage="C:\\Windows\\SysWOW64\\msiexec.exe" OR ParentImage="C:\\Windows\\System32\\msiexec.exe") AND CommandLine="* sl *"))\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Suspicious Eventlog Clearing or Configuration Change Activity",\
mitre_category="Defense_Evasion",\
mitre_technique="Indicator Removal on Host",\
mitre_technique_id="T1070",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml",\
creator="Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1490] BCDEdit Failure Recovery Modification]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") Image= "C:\Windows\System32\bcdedit.exe" AND CommandLine="recoveryenabled"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="BCDEdit Failure Recovery Modification",\
mitre_category="Impact",\
mitre_technique="Inhibit System Recovery",\
mitre_technique_id="T1490",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1490",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2023-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1490] Detecting Shadow Copy Deletion or Resize]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688")(CommandLine="vssadmin delete shadows" OR CommandLine="wmic shadowcopy delete" OR CommandLine="vssadmin resize shadowstorage") OR (EventCode="5857" ProviderName="MSVSS__PROVIDER") OR (EventCode="5858" Operation="Win32_ShadowCopy")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Shadow Copy",\
mitre_category="Impact",\
mitre_technique="Inhibit System Recovery",\
mitre_technique_id="T1490",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1490",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1003] Credential Dumping NTDSv2 - Process]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */8 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `index_time` (`windows-security` EventCode IN (4656, 4663)) OR (`sysmon` EventCode="11") AND ObjectType="File" AND TargetFilename="*ntds.dit" AND (AccessList="%%4416" OR AccessList="%%4419" OR AccessList="%%4417" OR AccessList="%%4424")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="NTDSv2",\
mitre_category="Credential_Access",\
mitre_technique="OS Credential Dumping",\
mitre_technique_id="T1003",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1003/",\
creator=mvappend("Cpl Iverson","LCpl Parks"),\
last_tested="",\
upload_date="2024-07-22",\
last_modify_date="2025-01-12",\
mitre_version="v16",\
priority="" \
| `process_create_whitelist`                            \
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1047] Windows Management Instrumentation_Analytic_2]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 14-59/15 * * * *
description = https://attack.mitre.org/techniques/T1047/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` `windows-security` OR `sysmon` OR sourcetype=WinEventLog:Microsoft-Windows-Security-Auditing\
| eval ProcessName=lower(ProcessName), CommandLine=lower(CommandLine)\
| search ProcessName IN ("wmic.exe", "powershell.exe", "wmiprvse.exe", "wmiadap.exe", "scrcons.exe", "wbemtool.exe")\
| search CommandLine IN ("process call create", "win32_process", "win32_service", "shadowcopy delete", "network")\
| search (`windows-security` EventCode=4688) OR (`sysmon` EventCode=1)\
| join ProcessName [ search index=windows_logs `sysmon` EventCode=3 \
| eval DestinationIp = coalesce(DestinationIp, dest_ip)\
| eval DestinationPort = coalesce(DestinationPort, dest_port)\
| search DestinationPort IN (135, 5985, 5986) ]\
| stats count by _time, ComputerName, User, ProcessName, CommandLine, DestinationIp, DestinationPort, dest, src_ip, dest_ip\
| eval alert_message="Suspicious WMI Network Connection Detected: " + ProcessName + " executed by " + User + " on " + ComputerName + " with command: " + CommandLine + " connecting to " + DestinationIp + ":" + DestinationPort\
| where NOT (User="SYSTEM" OR ProcessName="wmiprvse.exe" OR (src_ip="trusted_ip_range" AND DestinationIp="trusted_ip_range"))\
| table _time, ComputerName, User, ProcessName, CommandLine, DestinationIp, DestinationPort, src_ip, dest_ip, alert_message\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Monitor for WMI over RPC (DCOM) connections. Look for the string RPCSS within the initial RPC connection on port 135/tcp.",\
mitre_category="Execution",\
mitre_technique="Windows Management Instrumentation",\
mitre_technique_id="T1047",\
mitre_subtechnique="",\
mitre_subtechnique_id="",\
apt=mvappend("APT29","APT32","APT41","Aquatic Panda","Blue Mockingbird","Chimera","Cinnamon Tempest","Deep Panda","Earth Lusca","Ember Bear","FIN13","FIN6","FIN7","FIN8","GALLIUM","Gamaredon Group","INC Ransom","Indrik Spider","Lazarus Group","Leviathan","Magic Hound","MuddyWater","Mustang Panda","Naikon","OilRig","Sandworm Team","Stealth Falcon","TA2541","Threat Group-3390","ToddyCat","Volt Typhoon","Windshift","Wizard Spider","menuPass"),\
mitre_link="https://attack.mitre.org/techniques/T1047/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1059] Command and Scripting Interpreter - Module Load]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = Module Load
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` `sysmon` \
| search EventCode=7 ImageLoaded IN ("C:\Windows\System32\JScript.dll", "C:\Windows\System32\vbscript.dll", "System.Management.Automation.dll")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Analytic 1 - Look for unusual module loads associated with scripting languages",\
mitre_category="Execution",\
mitre_technique="Command-Line Interface",\
mitre_technique_id="T1059",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1059",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-12",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[SysmonHosts]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 6 * * *
description = Wec Hosts running Sysmon
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
search = index=windows host=N2MEFBL24WEC01 `sysmon` | dedup host_fqdn | stats count by host_fqdn | fields host_fqdn

[[T1003] Credential Dumping NTDSv1 - Process]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */8 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `index_time` ((`powershell` EventCode="800") AND ((CommandLine LIKE "%ntds%" AND CommandLine LIKE "%ntdsutil%" AND CommandLine LIKE "%create%") OR (CommandLine LIKE "%vssadmin%" AND CommandLine LIKE "%create%" AND CommandLine LIKE "%shadow%") OR (CommandLine LIKE "%copy%" AND CommandLine LIKE "%ntds.dit%")))\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="NTDSv1",\
mitre_category="Credential_Access",\
mitre_technique="OS Credential Dumping",\
mitre_technique_id="T1003",\
mitre_subtechnique="", \
mitre_subtechnique_id="",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1003/",\
creator=mvappend("Cpl Iverson","LCpl Parks"),\
last_tested="",\
upload_date="2024-07-22",\
last_modify_date="2025-01-12",\
mitre_version="v16",\
priority="" \
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`                            \
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[Users After Hours] Host Tool]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 7 * * *
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = visualizations
display.page.search.mode = fast
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = area
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = index=* `windows` NOT user=SYSTEM NOT user=HealthMailbox* NOT user="" NOT user=N22MEUEX* NOT user=N2* NOT user=*SERVICE\
| eval access_hour=strftime(_time,"%H")\
| where ( access_hour >= 19 OR access_hour < 7  ) \
| timechart usenull=f limit=30 useother=f count by user

[[WEC 60D] Hunt Tool]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 3 * * *
description = WEC servers for 60 days
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = index=windows `windows` earliest=-60d@d latest=@d\
| timechart dc(host_fqdn) as "WEC"

[[WEC] Hunt Tool]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 1 * * *
description = WEC servers
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = index=windows `windows`\
| stats dc(host_fqdn)

[[T1059] Command and Scripting Interpreter - Script Execution]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = Script Execution
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = ```\
https://attack.mitre.org/techniques/T1059/\
Analytic 1 - Look for attempts to enable scripts on the system.\
```\
`indextime` (EventCode=1 OR EventCode=4688 OR EventCode=4103 OR EventCode=4104) (CommandLine="script")\
| search script_name IN (".ps1", ".sh", ".py", ".rb", ".js", ".vbs")\
| eval mitre_category="Execution"\
| eval mitre_technique="Command-Line Interface"\
| eval mitre_technique_id="T1059"\
| eval apt=mvappend(APT19,APT32)\
| eval hash_sha256= lower(hash_sha256)\
| `process_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1059.003] Command and Scripting Interpreter_Analytic_1]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
description = https://attack.mitre.org/techniques/T1059/003/
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` `windows-security`\
| search (EventCode=4688 OR EventCode=4689) process_name="cmd.exe"\
| eval suspicious_cmd=if(like(command_line, "%/c%") OR like(command_line, "%.bat%") OR like(command_line, "%.cmd%"), "Yes", "No")\
| where suspicious_cmd="Yes"\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Look for unusual command shell execution.",\
mitre_category="Execution",\
mitre_technique="Command and Scripting Interpreter",\
mitre_technique_id="T1059",\
mitre_subtechnique="Windows Command Shell",\
mitre_subtechnique_id="T1059.003",\
apt=mvappend("APT1","APT18","APT28","APT3","APT32","APT37","APT38","APT41","APT5","Agrius","Aquatic Panda","BRONZE BUTLER","Blue Mockingbird","Chimera","Cinnamon Tempest","Cobalt Group","Dark Caracal","Darkhotel","Dragonfly","FIN10","FIN13","FIN6","FIN7","FIN8","Fox Kitten","GALLIUM","Gamaredon Group","Gorgon Group","HAFNIUM","Higaisa","INC Ransom","Indrik Spider","Ke3chang","Kimsuky","Lazarus Group","LazyScripter","Machete","Magic Hound","Metador","MuddyWater","Mustang Panda","Nomadic Octopus","OilRig","Patchwork","Play","Rancor","RedCurl","Saint Bear","Silence","Sowbug","Suckfly","TA505","TA551","TA577","TeamTNT","Threat Group-1314","Threat Group-3390","ToddyCat","Tropic Trooper","Turla","Volt Typhoon","Winter Vivern","Wizard Spider","ZIRCONIUM","admin@338","menuPass"),\
mitre_link="https://attack.mitre.org/techniques/T1059/003/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`


[Crtitcal Process]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = 0
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `sysmon` Image="*\\powershell.exe" OR Image="*\\msbuild.exe" OR Image="*\\psexec.exe" OR Image="*\\at.exe" OR Image="*\\schtasks.exe" OR Image="*\\net.exe" OR Image="*\\vssadmin.exe" OR Image="*\\utilman.exe" OR Image="*\\wmic.exe" OR Image="*\\mshta.exe" OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\cmd.exe" OR Image="*\\whoami.exe" OR Image="*\\mmc.exe" OR Image="*\\systeminfo.exe" OR Image="*\\csvde.exe" OR Image="*\\certutil.exe" | stats values(CommandLine) by Image
workload_pool = undefined

[Logon type 4 Batch Logon]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = 0
dispatchAs = user
display.events.fields = ["host","source","sourcetype","alert.signature","alert.severity","src_ip","src_port","dest_ip","dest_port","alert.category","Account_Domain","Account_Name","Authentication_Package","ComputerName","Creator_Process_Name","Logon_Process","Logon_Type","Privileges","Process_Command_Line","Process_Name","Security_ID","dest","dest_nt_domain","dest_nt_host","event_id","member_dn","member_id","member_nt_domain","name","privilege","privilege_id","process_name","signature","src","src_user","user","body","category"]
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.charting.chart = bar
display.visualizations.show = 0
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = |tstats count from datamodel=event_id.wineventlog_security where wineventlog_security.Logon_Type=4 by wineventlog_security.Account_Name | sort - count

[Logon type 5 windows service logon]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = 0
dispatchAs = user
display.events.fields = ["host","source","sourcetype","alert.signature","alert.severity","src_ip","src_port","dest_ip","dest_port","alert.category","Account_Domain","Account_Name","Authentication_Package","ComputerName","Creator_Process_Name","Logon_Process","Logon_Type","Privileges","Process_Command_Line","Process_Name","Security_ID","dest","dest_nt_domain","dest_nt_host","event_id","member_dn","member_id","member_nt_domain","name","privilege","privilege_id","process_name","signature","src","src_user","user","body","category"]
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.charting.chart = bar
display.visualizations.show = 0
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = |tstats count from datamodel=event_id.wineventlog_security where wineventlog_security.Logon_Type=5 by wineventlog_security.Account_Name | sort + count

[Event_ID_5140_saved_search]
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 13 * * *
description = (Share Accessed) Clone
enableSched = 1
schedule_window = 60
search = `wineventlog-security`	EventCode=5140	(Share_Name="*\\C$"	OR Share_Name="*D$"	OR Share_Name="*E$" OR Share_Name="*F$"	OR Share_Name="*U$") NOT Source_Address="::1" | eval DesOnaOon_Sys1=trim(host,"1") |	eval DesOnaOon_Sys2=trim(host,"2") |	eval Dest_Sys1=lower(DesOnaOon_Sys1) | eval Dest_Sys2=lower(DesOnaOon_Sys2) | rename host AS DesOnaOon	| rename Account_Domain AS Domain | where Account_Name!=Dest_Sys1 | where Account_Name!=Dest_Sys2	| stats	count values(Domain) AS	Domain,	values(Source_Address) AS	Source_IP, values(DesOnaOon) AS	DesOnaOon, dc(DesOnaOon)	AS Dest_Count, values(Share_Name) AS Share_Name, values(Share_Path) AS	Share_Path by Account_Name

[Event_ID_5156_saved_search]
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 13 * * *
description = (Win FW Connection) changes
enableSched = 1
schedule_window = 60
search = `wineventlog-security` EventCode=5156 NOT (Source_Address="239.255.255.250"	OR	Source_Address="224.0.0.*" OR Source_Address="::1" OR Source_Address="ff02::*" OR Source_Address="fe80::*" OR	Source_Address="255.255.255.255" OR Source_Address=192.168.1.255) NOT (DesOnaOon_Address="127.0.0.1" OR DesOnaOon_Address="239.255.255.250"	OR DesOnaOon_Address="*.*.*.255" OR DesOnaOon_Address="224.0.0.25*") NOT (DesOnaOon_Port="0") NOT(ApplicaOon_Name="\\icamsource\\" OR ApplicaOon_Name="*\\bin\\splunkd.exe")	| dedup DesOnaOon_Address DesOnaOon_Port | table _Ome, host, ApplicaOon_Name, DirecOon, Source_Address, Source_Port,	DesOnaOon_Address, DesOnaOon_Port |	sort DirecOon DesOnaOon_Port

[Event_ID_7045_saved_search]
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 13 * * *
description = (New Service Added)
enableSched = 1
schedule_window = 15
search = `wineventlog-system` EventCode=7045	NOT (Service_Name=tenable_mw_scan) | eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0) | table _Ome host Service_Name,	Service_Type, Service_Start_Type, Service_Account, Short_Message

[tstats zeek conn stats dest_ip]
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 17 * * *
description = Used in zeek conn stats dashboard
dispatch.earliest_time = 0
enableSched = 1
schedule_window = 120
search = | tstats count from datamodel=Network_Data.All_Traffic by All_Traffic.dest_ip \
| sort - count

[tstats zeek conn stats dest_port]
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 11 * * *
description = Used in zeek conn stats dashboard
dispatch.earliest_time = 0
enableSched = 1
schedule_window = 120
search = | tstats count from datamodel=Network_Data.All_Traffic by All_Traffic.dest_port \
| sort - count

[tstats zeek conn stats ja3]
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 12 * * *
description = Used in zeek conn stats dashboard
dispatch.earliest_time = 0
enableSched = 1
schedule_window = 120
search = | tstats count from datamodel=Network_Data.All_Traffic by All_Traffic.ja3\
| sort - count

[tstats zeek conn stats query]
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 12 * * *
description = Used in zeek conn stats dashboard
dispatch.earliest_time = 0
enableSched = 1
schedule_window = 120
search = | tstats count from datamodel=Network_Data.All_Traffic by All_Traffic.query\
| sort - count

[tstats zeek conn stats src_ip]
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 11 * * *
description = Used in zeek conn stats dashboard
dispatch.earliest_time = 0
enableSched = 1
schedule_window = 120
search = | tstats count from datamodel=Network_Data.All_Traffic by All_Traffic.src_ip \
| sort - count

[tstats zeek conn stats src_port]
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 11 * * *
description = Used in zeek conn stats dashboard
dispatch.earliest_time = 0
enableSched = 1
schedule_window = 120
search = | tstats count from datamodel=Network_Data.All_Traffic by All_Traffic.src_port \
| sort - count

[Crtitcal Process Clone]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = 0
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
search = `sysmon` Image="*\\powershell.exe" OR Image="*\\msbuild.exe" OR Image="*\\psexec.exe" OR Image="*\\at.exe" OR Image="*\\schtasks.exe" OR Image="*\\net.exe" OR Image="*\\vssadmin.exe" OR Image="*\\utilman.exe" OR Image="*\\wmic.exe" OR Image="*\\mshta.exe" OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\cmd.exe" OR Image="*\\whoami.exe" OR Image="*\\mmc.exe" OR Image="*\\systeminfo.exe" OR Image="*\\csvde.exe" OR Image="*\\certutil.exe" | stats values(CommandLine) by Image
workload_pool = undefined

[Event_ID_4663_saved_search]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 12 * * *
description = ( File/Reg Auditing)
dispatch.earliest_time = -7d@h
dispatch.latest_time = now
enableSched = 1
schedule_window = 15
search = `wineventlog-security` EventCode=4663	NOT	(Process_Name="*\\
\Windows\\servicing\\TrustedInstaller.exe"	OR	"*\\Windows\\System32\\poqexec.exe")	NOT	\
(Object_Name="*\\Users\\svc_acct\\pnp"	OR	Object_Name="C:\\Users\\Surf\\AppData\\
\Local\\Google\\Chrome\\User Data*"	NOT	Object_Name="C:\\Users\\Surf\\AppData\\
\Roaming\\MicrosoW\\Windows\\Recent\\CustomDesOnaOons")	NOT	(Object_Name="C:\\
\Windows\\System32\\LogFiles\\*"	OR	Object_Name="*ProgramData\\MicrosoW\\RAC\\*"	\
OR	Object_Name="*\\MicrosoW\\Windows\\Explorer\\thumbcache*"	OR	\
Object_Name="*.MAP"	OR	Object_Name="*counters.dat"	OR	Object_Name="*\\Windows\\
\Gatherlogs\\SystemIndex\\*")	|	rename Process_Name	as Created_By |	table _Ome,	Computer,	\
EventID, SubjectUserName Caller_Domain src_user dest file_name file_path Keyword process

[Event_ID_4688_exe_saved_search]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 13 * * *
description = New processes started with suspicious exe files
dispatch.earliest_time = 0
enableSched = 1
schedule_window = auto
search = `wineventlog-security`	(EventCode=4688) NOT (Account_Name=*$) (at.exe OR bcdedit.exe	OR chcp.exe	OR cmd.exe OR cscript.exe OR ipconfig.exe OR mimikatz.exe OR	nbtstat.exe	OR nc.exe OR netcat.exe	OR netstat.exe OR nmap OR nslookup.exe OR	bcp.exe	OR sqlcmd.exe OR OSQL.exe OR ping.exe OR	powershell.exe OR powercat.ps1 OR psexec.exe OR psexecsvc.exe OR psLoggedOn.exe OR procdump.exe OR rar.exe OR reg.exe OR route.exe OR runas.exe OR sc.exe OR schtasks.exe OR sethc.exe OR ssh.exe OR sysprep.exe OR systeminfo.exe OR system32\\net.exe	OR tracert.exe OR vssadmin.exe OR whoami.exe OR winrar.exe OR wscript.exe OR winrm.* OR winrs.* OR wmic.exe	OR wsmprovhost.exe) | eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0) |\
table Computer,	SubjectUserName, ParentProcessName, ProcessID, Process_Command_Line , NewProcessName, NewProcessId, Short_Message

[Event_ID_4688_saved_search]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 13 * * *
description = powershell commands
dispatch.earliest_time = -7d@h
dispatch.latest_time = now
enableSched = 1
schedule_priority = highest
schedule_window = 120
search = `wineventlog-security`	(EventCode=4688) (powershell* AND -ExecuOonPolicy) OR(powershell* AND bypass) OR	(powershell* AND -noprofile) | eval	Message=split(Message,".") | eval Short_Message=mvindex(Message,0) | table	Computer, TargetUserName, process_exec, ParentProcessName, ProcessId, Process_Command_Line, NewProcessName, NewProcessId, Creator_Process_ID, Short_Message

[ip iocs]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 8 * * *
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
enableSched = 1
search = index=zeek_* [|inputlookup ip.csv | return 10000 %ip ] AND NOT reddit | stats count

[hash ioc]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 7 * * *
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
enableSched = 1
search = index=windows hash source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" [| inputlookup hashes.csv | reverse | return 300000 $hash]

[hash ioc test]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 7 * * *
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
enableSched = 1
search = index=windows hash source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" [| inputlookup hashes.csv | return 300000 $hash] \
|  stats count

[Get-ADUser Enumeration Using UserAccountControl Flags]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 1 * * *
description = Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.page.search.mode = verbose
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
search = ScriptBlockText="*Get-ADUser*" ScriptBlockText="*-Filter*" ScriptBlockText="*useraccountcontrol*" ScriptBlockText="*-band*" ScriptBlockText="*4194304*" | collect index=sigma

[Powershell Detect Virtualization Environment]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 3 * * *
description = description: |\
    Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.\
    This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox\
references:\
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md\
    - https://techgenix.com/malicious-powershell-scripts-evade-detection/
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.page.search.mode = verbose
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
search = ScriptBlockText IN ("*Get-WmiObject*", "*gwmi*") ScriptBlockText IN ("*MSAcpi_ThermalZoneTemperature*", "*Win32_ComputerSystem*") | collect index=sigma

[Dump Credentials from Windows Credential Manager With PowerShell]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 4 * * *
description = description: |\
    Adversaries may search for common password storage locations to obtain user credentials.\
    Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.\
references:\
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.page.search.mode = verbose
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
search = ScriptBlockText IN ("*Get-PasswordVaultCredentials*", "*Get-CredManCreds*") OR (ScriptBlockText="*New-Object*" ScriptBlockText="*Windows.Security.Credentials.PasswordVault*") OR (ScriptBlockText="*New-Object*" ScriptBlockText="*Microsoft.CSharp.CSharpCodeProvider*" ScriptBlockText="*[System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())*" ScriptBlockText="*Collections.ArrayList*" ScriptBlockText="*System.CodeDom.Compiler.CompilerParameters*") | collect index=sigma

[Windows Screen Capture with CopyFromScreen]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 5 * * *
description = Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.\
    Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations\
references:\
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.page.search.mode = verbose
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
search = ScriptBlockText="*.CopyFromScreen*" | collect index=sigma

[Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 6 * * *
description = description: |\
    Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.\
references:\
    - https://github.com/amlweems/xzbot?tab=readme-ov-file#backdoor-demo
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.page.search.mode = verbose
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
search = (ParentImage="*/sshd" CommandLine IN ("bash -c*", "sh -c*") User="root") OR (ParentImage="*/sshd" Image="*/sshd" User="sshd") | collect index=sigma

[Access to Browser Login Data]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 0 * * *
description = Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\
    Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\
    Web browsers typically store the credentials in an encrypted format within a credential store.
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.page.search.mode = verbose
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
search = ScriptBlockText="*Copy-Item*" ScriptBlockText="*-Destination*" ScriptBlockText IN ("*\\Opera Software\\Opera Stable\\Login Data*", "*\\Mozilla\\Firefox\\Profiles*", "*\\Microsoft\\Edge\\User Data\\Default*", "*\\Google\\Chrome\\User Data\\Default\\Login Data*", "*\\Google\\Chrome\\User Data\\Default\\Login Data For Account*")

[CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 0 * * *
description = description: |\
    Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.\
    It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.\
references:\
    - https://github.com/RhinoSecurityLabs/CVEs/blob/15cf4d86c83daa57b59eaa2542a0ed47ad3dc32d/CVE-2024-1212/CVE-2024-1212.py\
    - https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.page.search.mode = verbose
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
search = "cs-method"="GET" "cs-uri-stem"="*/access/set*" "cs-uri-stem"="*param=enableapi*" "cs-uri-stem"="*value=1*" "Basic Jz" OR "Basic c7" OR "Basic nO" OR "Basic ';" | collect index=sigma

[Create Volume Shadow Copy with Powershell]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 2 * * *
description = Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.page.search.mode = verbose
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = Arc_Reactor_app
request.ui_dispatch_view = search
search = ScriptBlockText="*win32_shadowcopy*" ScriptBlockText="*).Create(*" ScriptBlockText="*ClientAccessible*" | collect index=sigma

[Exploitation Indicators Of CVE-2023-20198]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 0 0 * * *
description = description: Detecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI.\
references:\
    - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z\
    - https://www.thestack.technology/security-experts-call-for-incident-response-exercises-after-mass-cisco-device-exploitation/
enableSched = 1
search = "%WEBUI-6-INSTALL_OPERATION_INFO:" OR "%SYS-5-CONFIG_P:" OR "%SEC_LOGIN-5-WEBLOGIN_SUCCESS:" "cisco_tac_admin" OR "cisco_support" OR "cisco_sys_manager"

[[T1047] WMI - Instances of an Active Script]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 7-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` `sysmon` event_id=11 process_path="C:\\WINDOWS\\system32\\wbem\\scrcons.exe"\
| eval mitre_category="Execution" \
| eval mitre_technique="Windows Management Instrumentation" \
| eval mitre_technique_id="T1047" \
| eval hunting_trigger="Instances of an Active Script Event Consumer" \
| `file_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path file_path process_guid process_id mitre_category mitre_technique mitre_technique_id hunting_trigger\
| collect `jarvis_index`

[[T1070.001] Indicator Removal_Analytic_1]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`windows-security` EventCode IN (1100, 1102, 1104)) OR (`windows-system` EventCode IN (104))\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="User Activity from Clearing Event Logs",\
mitre_category=mvappend("Defense_Evasion","Persistence","Privilege_Escalation", "Initial_Access"),\
mitre_technique="Indicator Removal",\
mitre_technique_id="T1070",\
mitre_subtechnique="Clear Windows Event Logs",\
mitre_subtechnique_id="T1070.001",\
apt=mvappend("APT28","APT32","APT38","APT41","Aquatic Panda","Chimera","Dragonfly","FIN5","FIN8","Indrik Spider","Play","Volt Typhoon"),\
mitre_link="https://attack.mitre.org/techniques/T1070/001/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1070.001] Indicator Removal_Analytic_2]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = */15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") (Image=wevtutil CommandLine=cl (CommandLine=System OR CommandLine=Security OR CommandLine=Setup OR CommandLine=Application) OR Clear-EventLog OR Limit-EventLog OR (Remove-Item AND .evtx) OR Remove-EventLog)\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Clearing Windows Logs with Wevtutil",\
mitre_category=mvappend("Defense_Evasion","Persistence","Privilege_Escalation","Initial_Access"),\
mitre_technique="Indicator Removal",\
mitre_technique_id="T1070",\
mitre_subtechnique="Clear Windows Event Logs",\
mitre_subtechnique_id="T1070.001",\
apt=mvappend("APT28","APT32","APT38","APT41","Aquatic Panda","Chimera","Dragonfly","FIN5","FIN8","Indrik Spider","Play","Volt Typhoon"),\
mitre_link="https://attack.mitre.org/techniques/T1070/001/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-12-04",\
last_modify_date="2024-12-04",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime\
| convert ctime(indextime)\
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1074.001] Local Data Staging]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 9-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
schedule_window = auto
search = `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) ("*discovery.bat*" OR "*discovery.sh*" OR "*Compress-Archive -Path*")\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="",\
mitre_category="Collection",\
mitre_technique="Data Staged",\
mitre_technique_id="T1074",\
mitre_subtechnique="Local Data Staging", \
mitre_subtechnique_id="T1074.001",\
apt="",\
mitre_link="https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2025-01-14",\
last_modify_date="2025-01-14",\
mitre_version="v16",\
priority=""\
| `process_create_whitelist`\
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1546.003] Windows Management Instrumentation Event Subscription]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 14-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` (event_id=21 OR EventCode=21)\
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. ",\
mitre_category=mvappend("Privilege Escalation","Persistence"),\
mitre_technique="Event Triggered Execution",\
mitre_technique_id="T1546",\
mitre_subtechnique="Windows Management Instrumentation Event Subscription",\
mitre_subtechnique_id="T1546.003",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1546/003/",\
creator="Cpl Iverson",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `wmi_whitelist` \
| eval indextime = _indextime \
| convert ctime(indextime) \
| table _time indextime host_fqdn user_name wmi_consumer_name wmi_consumer_destination mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`

[[T1546.010] AppInit DLLs]
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.send2uba.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
cron_schedule = 14-59/15 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = Arc_reactor_app
request.ui_dispatch_view = search
schedule_window = auto
search = `indextime` `sysmon` (event_id=12 OR event_id=13 OR event_id=14) (registry_key_path="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Appinit_Dlls\\*" OR registry_key_path="*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Appinit_Dlls\\*") \
| eval hash_sha256= lower(hash_sha256),\
hunting_trigger="Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.",\
mitre_category=mvappend("Privilege Escalation","Persistence"),\
mitre_technique="Event Triggered Execution",\
mitre_technique_id="T1546",\
mitre_subtechnique="AppInit DLLs", \
mitre_subtechnique_id="T1546.010",\
apt="",\
mitre_link="https://attack.mitre.org/techniques/T1546/010/",\
creator="Cpl Iverson",\
last_tested="",\
upload_date="2024-01-01",\
last_modify_date="2025-01-09",\
mitre_version="v16",\
priority=""\
| `registry_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path  process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority\
| collect `jarvis_index`