Azure · nbyt3 · Sep 19, 2023 · Sep 19, 2023 · Sep 22, 2023 · Sep 22, 2023
@@ -0,0 +1,98 @@
+{
+    "id": "CyborgSecurity_HUNTER",
+    "title": "Cyborg Security HUNTER Hunt Packages",
+    "publisher": "Cyborg Security",
+    "descriptionMarkdown": "Cyborg Security is a leading provider of advanced threat hunting solutions, with a mission to empower organizations with cutting-edge technology and collaborative tools to proactively detect and respond to cyber threats. Cyborg Security's flagship offering, the HUNTER Platform, combines powerful analytics, curated threat hunting content, and comprehensive hunt management capabilities to create a dynamic ecosystem for effective threat hunting operations.\n\nFollow the steps to gain access to Cyborg Security's Community and setup the 'Open in Tool' capabilities in the HUNTER Platform.",
+    "availability": {
+        "status": 1,
+        "isPreview": true 
+    },
+    "graphQueries": [
+        {
+            "metricName": "Total SecurityEvents received",
+            "legend": "SecurityEvent",
+            "baseQuery": "SecurityEvent"
+        }
+    ],
+    "sampleQueries": [
+        {
+            "description": "All Alerts",
+            "query": "SecurityEvent"
+        }
+    ],
+    "dataTypes": [
+        {
+            "name": "SecurityEvents",
+            "lastDataReceivedQuery": "SecurityEvent\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+        }
+    ],
+    "connectivityCriterias": [
+        {
+            "type": "IsConnectedQuery",
+            "value": [
+                "SecurityEvent\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(30d)"
+            ]
+        }
+    ],
+    "permissions": {
+        "resourceProvider": [
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions on the workspace are required.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "write": true,
+                    "read": true,
+                    "delete": true
+                }
+            }
+        ]
+    },
+    "instructionSteps": [
+        {
+            "instructions": [
+                {
+                    "parameters": {
+                        "text": "Use the following link to find your Azure Tentant ID <a href=\"https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/how-to-find-tenant\">How to find your Azure Active Directory tenant ID</a>",
+                        "visible": true,
+                        "inline": true
+                    },
+                "type": "InfoMessage"
+                },
+                {
+                    "parameters": {
+                        "fillWith": [
+                            "workspaceName"
+                            ],
+                        "label": "ResourceGroupName & WorkspaceName",
+                        "value": "{0}"
+                    },
+                "type": "CopyableLabel"
+                },
+                {
+                    "parameters": {
+                        "fillWith": [
+                            "WorkspaceId"
+                            ],
+                        "label": "WorkspaceID",
+                        "value": "{0}"
+                    },
+                "type": "CopyableLabel"
+                }
+              ]
+        },
+        {
+            "title": "1. Sign up for Cyborg Security's HUNTER Community Account",
+            "description": "Cyborg Security offers Community Memebers access to a subset of the Emerging Threat Collections and hunt packages.\n\nCreate a Free Commuinity Account to get access to Cyborg Security's Hunt Packages: [Sign Up Now!](https://www.cyborgsecurity.com/user-account-creation/)"
+        },
+        {
+            "title": "2. Configure the Open in Tool Feature",
+            "description": "\n\n1.  Navigate to the [Environment](https://hunter.cyborgsecurity.io/environment) section of the HUNTER Platform.\n2.  Fill in te **Root URI** of your environment in the section labeled **Microsoft Sentinel**. Replace the <bolded items> with the IDs and Names of your Subscription, Resource Groups and Workspaces.\n\n    https[]()://portal.azure.com#@**AzureTenantID**/blade/Microsoft_OperationsManagementSuite_Workspace/Logs.ReactView/resourceId/%2Fsubscriptions%2F**AzureSubscriptionID**%2Fresourcegroups%2F**ResourceGroupName**%2Fproviders%2Fmicrosoft.operationalinsights%2Fworkspaces%2F<**WorkspaceName**>/\n3.  Click **Save**."
+        },
+        {
+            "title": "3. Execute a HUNTER hunt pacakge in Microsoft Sentinel",
+            "description": "\n\nIdentify a Cyborg Security HUNTER hunt package to deploy and use the **Open In Tool** button to quickly open Microsoft Sentinel and stage the hunting content.\n\n![image](https://7924572.fs1.hubspotusercontent-na1.net/hubfs/7924572/HUNTER/Screenshots/openintool-ms-new.png)"
+        }
+    ]
+}
@@ -0,0 +1,27 @@
+{
+    "Name": "Cyborg Security HUNTER",
+    "Author": "Mike Mitchell - mike@cyborgsecurity.com",
+    "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/cyborg-logo-full.svg\" width=\"75px\" height=\"75px\">",
+    "Description": "The [Cyborg Security HUNTER](https://www.cyborgsecurity.com/) solution for Microsoft Sentinel helps analysts to configure the 'Open in Tool' button within the HUNTER platform, allowing the Microsoft Sentinel hunt packages to be deployed in the Microsoft Sentinel Platform",
+    "HuntingQueryBladeDescription": "This solution installs the following Cyborg Security HUNTER hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view",
+    "Data Connectors": [
+      "Data Connectors/CyborgSecurity_HUNTER.json"
+    ],
+    "Hunting Queries" : [
+      "Hunting Queries/Attempted VBScript Stored in Non-Run CurrentVersion Registry Key Value.yaml",
+      "Hunting Queries/Excessive Windows Discovery and Execution Processes - Potential Malware Installation.yaml",
+      "Hunting Queries/LSASS Memory Dumping using WerFault.exe - Command Identification.yaml",
+      "Hunting Queries/Metasploit Impacket PsExec Process Creation Activity.yaml",
+      "Hunting Queries/Potential Maldoc Execution Chain Observed.yaml",
+      "Hunting Queries/Powershell Encoded Command Execution.yaml",
+      "Hunting Queries/PowerShell Pastebin Download.yaml",
+      "Hunting Queries/Prohibited Applications Spawning cmd.exe or powershell.exe.yaml",
+      "Hunting Queries/Proxy VBScript Execution via CurrentVersion Registry Key.yaml",
+      "Hunting Queries/Rundll32 or cmd Executing Application from Explorer - Potential Malware Execution Chain.yaml"
+    ],
+    "BasePath": "Solutions/Cyborg Security HUNTER",
+    "Version": "1.0.1",
+    "Metadata": "SolutionMetadata.json",
+    "TemplateSpec": true,
+    "Is1Pconnector": false
+  }
@@ -0,0 +1,29 @@
+id: d7233f14-4705-403e-9db9-e0d677c9506b
+name: Attempted VBScript Stored in Non-Run CurrentVersion Registry Key Value
+description: |
+  'Identify potential new registry key name that is a non-autorun and non-run key in the HKLM\Software\Microsoft\Windows\CurrentVersion\ registry key containing VBScript in the key value value.'
+requiredDataConnectors:
+  - connectorId: SecurityEvent
+    dataTypes:
+      - SecurityEvent
+tactics:
+  - DefenseEvasion
+relevantTechniques:
+  - T1112
+query: |
+  SecurityEvent
+  | where ObjectName has "\\CurrentVersion"
+  | where ObjectName !has "\\Run"
+  | where NewValue contains "RunHTMLApplication" or 
+    NewValue contains "vbscript" or 
+    NewValue contains "jscript" or 
+    NewValue contains "mshtml" or 
+    NewValue contains "mshtml," or 
+    NewValue contains "mshtml " or 
+    NewValue contains "Execute(" or 
+    NewValue contains "CreateObject" or 
+    NewValue contains "RegRead" or 
+    NewValue contains "window.close"
+  | project TimeGenerated, Computer, Process, ObjectName, ObjectValueName, NewValue, OldValue, SubjectUserName, NewProcessId, SourceComputerId
+  | order by TimeGenerated
+version: 1.0.0
@@ -0,0 +1,62 @@
+id: 6d1c9f13-e43e-4b52-a443-5799465d573b
+name: Excessive Windows Discovery and Execution Processes - Potential Malware Installation
+description: |
+  'Utilizes a list of commonly abused LOLB an attacker or malware would execute in quick succession. The presence of multiple executions of the programs within the list can be indicative of an infection or malicious activity occurring on a victim host.'
+requiredDataConnectors:
+  - connectorId: SecurityEvent
+    dataTypes:
+      - SecurityEvent
+tactics:
+  - Discovery
+relevantTechniques:
+  - T1016
+query: |
+  SecurityEvent
+  | where NewProcessName has_any (
+    "arp.exe",
+    "at.exe",
+    "attrib.exe",
+    "cscript.exe",
+    "dsquery.exe",
+    "hostname.exe",
+    "ipconfig.exe",
+    "mimikatz.exe",
+    "nbtstat.exe",
+    "net.exe",
+    "netsh.exe",
+    "nslookup.exe",
+    "ping.exe",
+    "quser.exe",
+    "qwinsta.exe",
+    "reg.exe",
+    "runas.exe",
+    "sc.exe",
+    "schtasks.exe",
+    "ssh.exe",
+    "systeminfo.exe",
+    "taskkill.exe",
+    "telnet.exe",
+    "tracert.exe",
+    "wscript.exe",
+    "xcopy.exe",
+    "pscp.exe",
+    "copy.exe",
+    "robocopy.exe",
+    "certutil.exe",
+    "vssadmin.exe",
+    "powershell.exe",
+    "wevtutil.exe",
+    "psexec.exe",
+    "bcedit.exe",
+    "wbadmin.exe",
+    "icacls.exe",
+    "diskpart.exe",
+    "ver.exe",
+    "netstat.exe",
+    "tasklist.exe",
+    "route.exe",
+    "driverquery.exe"
+  )
+  | summarize firstEvent=min(TimeGenerated), lastEvent=max(TimeGenerated), uniqueProcesses=dcount(NewProcessName), eventIds=make_set(tostring(EventID)), processPaths=make_set(NewProcessName), processCommandLines=make_set(CommandLine), parentProcessPaths=make_set(ParentProcessName), processIds=make_set(NewProcessId), parentprocessIds=make_set(ProcessId), eventData=make_set(EventData), count() by SourceComputerId, Computer| order by firstEvent
+  | where uniqueProcesses > 4
+version: 1.0.0
@@ -0,0 +1,18 @@
+id: 4894a60b-d2ee-4f24-be61-0d0c96a84e63
+name: LSASS Memory Dumping using WerFault.exe - Command Identification
+description: |
+  'Identifies WerFault.exe creating a memory dump of lsass.exe (Local Security Authority Subsystem Service, a process responsible for the enforcement of security policies on Windows systems, which generates and stores credentials in its process memory).'
+requiredDataConnectors:
+  - connectorId: SecurityEvent
+    dataTypes:
+      - SecurityEvent
+tactics:
+  - CredentialAccess
+relevantTechniques:
+  - T1003
+query: |
+  SecurityEvent
+  | where NewProcessName endswith "werfault.exe"
+  | where ObjectName endswith "lsass.exe"
+  | project NewProcessName, ObjectName
+version: 1.0.0
@@ -0,0 +1,19 @@
+id: 37cba0d1-8aa5-4f8f-bb26-25a45475ca9a
+name: Metasploit / Impacket PsExec Process Creation Activity
+description: |
+  'Meant to detect process creations containing names consistent with the schema used by Metasploit or Impacket's PsExec tool. Metasploit and Impacket's PsExec tooling is used by malicious actors for lateral movement & performing actions on remote systems.'
+requiredDataConnectors:
+  - connectorId: SecurityEvent
+    dataTypes:
+      - SecurityEvent
+tactics:
+  - Execution
+relevantTechniques:
+  - T1569.002
+query: |
+  SecurityEvent
+  | where ParentProcessName has "services.exe"
+  | where NewProcessName matches regex "C:\\\\Windows\\\\[a-zA-Z]{8}.exe"
+  | where EventID == "4688"
+  | project EventID, NewProcessName, CommandLine, Computer, ParentProcessName
+version: 1.0.0
@@ -0,0 +1,42 @@
+id: b194088b-c846-4c72-a4b7-933627878db4
+name: Potential Maldoc Execution Chain Observed
+description: |
+  'Detect the aftermath of a successfully delivered and executed maldoc (Microsoft Office). Indicates an Office document was opened from an email or download/link, spawned a suspicious execution, and attempted to execute code via common Windows binaries.'
+requiredDataConnectors:
+  - connectorId: SecurityEvent
+    dataTypes:
+      - SecurityEvent
+tactics:
+  - DefenseEvasion
+  - Execution
+  - InitialAccess
+relevantTechniques:
+  - T1059
+  - T1059.001
+  - T1059.004
+  - T1059.005
+  - T1059.006
+  - T1059.007
+  - T1218.011
+  - T1566.001
+  - T1566.002
+query: |
+  let officeProducts = dynamic(["WINWORD.EXE","EXCEL.EXE","POWERPNT.EXE","MSACCESS.EXE","VISIO.EXE","WINPROJ.EXE"]);
+  let executionMethods = dynamic(["powershell.exe","cmd.exe","WScript.exe","rundll32.exe","cscript.exe","wmic.exe","mshta.exe","msiexec.exe"]);
+  SecurityEvent
+  | where TimeGenerated >= ago(7d)
+  | where (NewProcessName has_any (officeProducts,"OUTLOOK.EXE","explorer.exe",executionMethods) or ParentProcessName has_any (officeProducts,"OUTLOOK","explorer",executionMethods))
+  | project TimeGenerated, Computer, Activity, EventID, CommandLine, NewProcessName, processId = tolong(NewProcessId), ParentProcessName, parentProcessId = tolong(ProcessId)
+  | extend sourceAppTrue=case(NewProcessName endswith "outlook.exe",1,
+                              (ParentProcessName has_any("outlook.exe","explorer.exe") and NewProcessName has_any(officeProducts)),1,
+                              0)
+  | extend officeAppTrue=case(NewProcessName has_any(officeProducts),1,
+                              ParentProcessName has_any(officeProducts),1,
+                              0)
+  | extend executionTrue=case(NewProcessName has_any(executionMethods),1,
+                              ParentProcessName has_any(executionMethods),1,
+                              0)
+  | summarize process=make_set(NewProcessName,10), processId=make_set(processId,10), parentProcess=make_set(ParentProcessName,10),parentProcessId=make_set(parentProcessId,10), sourceApp=sum(sourceAppTrue), officeApp=sum(officeAppTrue), execution=sum(executionTrue)
+  by Computer, bin(TimeGenerated,5m)
+  | where sourceApp > 0 and officeApp > 0 and execution > 0
+version: 1.0.0
@@ -0,0 +1,32 @@
+id: e186a8af-3d4a-4003-93b7-9b199e0b1dd1
+name: PowerShell Pastebin Download
+description: |
+  'Detects PowerShell commands downloading and execute code hosted on Pastebin and other services. This technique has been used by malicious actors to distribute malware, in particular it has been used by the EvilCorp Ransomware variants such as Sodinokibi.'
+requiredDataConnectors:
+  - connectorId: SecurityEvent
+    dataTypes:
+      - SecurityEvent
+tactics:
+  - CommandandControl
+relevantTechniques:
+  - T1102
+query: |
+  SecurityEvent
+  | where Process  has "powershell.exe"
+  | where CommandLine contains "http"
+  | where CommandLine has_any (
+    "pastebin",
+    "github",
+    "ghostbin",
+    "githubusercontent",
+    "0bin",
+    "zerobin",
+    "privatebin",
+    "klgrth",
+    "termbin",
+    "hatebin",
+    "hastebin",
+    "dumpz"
+  ) or  CommandLine contains ".onion" or CommandLine contains "paste."
+  | project TimeGenerated, Computer, tostring(EventID), ParentProcessName, NewProcessName, CommandLine, SubjectUserName, SourceComputerId, processID=tolong(NewProcessId), parentProcessID=tolong(ProcessId), EventData| order by TimeGenerated
+version: 1.0.0