Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cyborgsecurity-hunter-solution-v1 #9041

Closed
Closed
Show file tree
Hide file tree
Changes from 26 commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
0022197
cyborgsecurity-hunter-solution-v1
nbyt3 Sep 19, 2023
1672b3e
cyborg-security-updating-logos
nbyt3 Sep 19, 2023
38a46fd
updates
nbyt3 Sep 22, 2023
a7cf2c7
update-issue with resourceIDs
nbyt3 Sep 22, 2023
4859b16
Merge branch 'Azure:master' into cyborgsecurity-hunter-solution
nbyt3 Sep 22, 2023
7862663
bump version
nbyt3 Sep 22, 2023
a790c9c
Update Excessive Windows Discovery and Execution Processes - Potentia…
nbyt3 Oct 2, 2023
5b85650
feedback-updates
nbyt3 Oct 2, 2023
9bfe5e6
feedback-updates
nbyt3 Oct 2, 2023
2e66498
fixed-logo
nbyt3 Oct 2, 2023
4c2fdd1
resubmission
nbyt3 Oct 2, 2023
e720a42
update-image
nbyt3 Oct 2, 2023
3319312
Delete Solutions/CyberArkEPM/Package/mainTemplate.json
nbyt3 Oct 2, 2023
7d775d8
re-adding deleted file
nbyt3 Oct 2, 2023
5703acf
updating based on refer link for validation
nbyt3 Oct 2, 2023
0c7d6b2
feedback-10-3-2023
nbyt3 Oct 3, 2023
6cdd51a
feedback-10-3-2023
nbyt3 Oct 3, 2023
2e5c7ed
feedback-10-10-2023
nbyt3 Oct 10, 2023
d6580e5
update-main-template
nbyt3 Oct 10, 2023
db567f0
local-arm-ttk-run
nbyt3 Oct 10, 2023
f4e7812
feedback10-16-2023
nbyt3 Oct 16, 2023
ce1e2c1
arm-ttk run
nbyt3 Oct 16, 2023
6556a67
arm-ttk run-2
nbyt3 Oct 16, 2023
34d2834
arm-ttk3
nbyt3 Oct 16, 2023
af568df
Delete Solutions/CyberArkEPM/Package/mainTemplate.json
nbyt3 Oct 23, 2023
5d5c18a
updated-logo
nbyt3 Oct 23, 2023
c64acef
update_link
nbyt3 Oct 23, 2023
abf3e87
update style for png
nbyt3 Oct 23, 2023
b63f99f
update_logo
nbyt3 Oct 26, 2023
58a36ea
Revert "Delete Solutions/CyberArkEPM/Package/mainTemplate.jso"
nbyt3 Oct 31, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 53 additions & 0 deletions Logos/cyborg-logo-full.svg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2,957 changes: 0 additions & 2,957 deletions Solutions/CyberArkEPM/Package/mainTemplate.json

This file was deleted.

Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
{
"id": "CyborgSecurity_HUNTER",
"title": "Cyborg Security HUNTER Hunt Packages",
"publisher": "Cyborg Security",
"descriptionMarkdown": "Cyborg Security is a leading provider of advanced threat hunting solutions, with a mission to empower organizations with cutting-edge technology and collaborative tools to proactively detect and respond to cyber threats. Cyborg Security's flagship offering, the HUNTER Platform, combines powerful analytics, curated threat hunting content, and comprehensive hunt management capabilities to create a dynamic ecosystem for effective threat hunting operations.\n\nFollow the steps to gain access to Cyborg Security's Community and setup the 'Open in Tool' capabilities in the HUNTER Platform.",
"availability": {
"status": 1,
"isPreview": true
},
"graphQueries": [
{
"metricName": "Total SecurityEvents received",
"legend": "SecurityEvent",
"baseQuery": "SecurityEvent"
}
],
"sampleQueries": [
{
"description": "All Alerts",
"query": "SecurityEvent"
}
],
"dataTypes": [
{
"name": "SecurityEvents",
"lastDataReceivedQuery": "SecurityEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"SecurityEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions on the workspace are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
}
]
},
"instructionSteps": [
{
"instructions": [
{
"parameters": {
"text": "Use the following link to find your Azure Tentant ID <a href=\"https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/how-to-find-tenant\">How to find your Azure Active Directory tenant ID</a>",
"visible": true,
"inline": true
},
"type": "InfoMessage"
},
{
"parameters": {
"fillWith": [
"workspaceName"
],
"label": "ResourceGroupName & WorkspaceName",
"value": "{0}"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "WorkspaceID",
"value": "{0}"
},
"type": "CopyableLabel"
}
]
},
{
"title": "1. Sign up for Cyborg Security's HUNTER Community Account",
"description": "Cyborg Security offers Community Memebers access to a subset of the Emerging Threat Collections and hunt packages.\n\nCreate a Free Commuinity Account to get access to Cyborg Security's Hunt Packages: [Sign Up Now!](https://www.cyborgsecurity.com/user-account-creation/)"
},
{
"title": "2. Configure the Open in Tool Feature",
"description": "\n\n1. Navigate to the [Environment](https://hunter.cyborgsecurity.io/environment) section of the HUNTER Platform.\n2. Fill in te **Root URI** of your environment in the section labeled **Microsoft Sentinel**. Replace the <bolded items> with the IDs and Names of your Subscription, Resource Groups and Workspaces.\n\n https[]()://portal.azure.com#@**AzureTenantID**/blade/Microsoft_OperationsManagementSuite_Workspace/Logs.ReactView/resourceId/%2Fsubscriptions%2F**AzureSubscriptionID**%2Fresourcegroups%2F**ResourceGroupName**%2Fproviders%2Fmicrosoft.operationalinsights%2Fworkspaces%2F<**WorkspaceName**>/\n3. Click **Save**."
},
{
"title": "3. Execute a HUNTER hunt pacakge in Microsoft Sentinel",
"description": "\n\nIdentify a Cyborg Security HUNTER hunt package to deploy and use the **Open In Tool** button to quickly open Microsoft Sentinel and stage the hunting content.\n\n![image](https://7924572.fs1.hubspotusercontent-na1.net/hubfs/7924572/HUNTER/Screenshots/openintool-ms-new.png)"
}
]
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
{
"Name": "Cyborg Security HUNTER",
"Author": "Mike Mitchell - mike@cyborgsecurity.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/cyborgsecurity-logo-75px.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [Cyborg Security HUNTER](https://www.cyborgsecurity.com/) solution for Microsoft Sentinel helps analysts to configure the 'Open in Tool' button within the HUNTER platform, allowing the Microsoft Sentinel hunt packages to be deployed in the Microsoft Sentinel Platform",
"HuntingQueryBladeDescription": "This solution installs the following Cyborg Security HUNTER hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view",
"Data Connectors": [
"Data Connectors/CyborgSecurity_HUNTER.json"
],
"Hunting Queries" : [
"Hunting Queries/Attempted VBScript Stored in Non-Run CurrentVersion Registry Key Value.yaml",
"Hunting Queries/Excessive Windows Discovery and Execution Processes - Potential Malware Installation.yaml",
"Hunting Queries/LSASS Memory Dumping using WerFault.exe - Command Identification.yaml",
"Hunting Queries/Metasploit Impacket PsExec Process Creation Activity.yaml",
"Hunting Queries/Potential Maldoc Execution Chain Observed.yaml",
"Hunting Queries/Powershell Encoded Command Execution.yaml",
"Hunting Queries/PowerShell Pastebin Download.yaml",
"Hunting Queries/Prohibited Applications Spawning cmd.exe or powershell.exe.yaml",
"Hunting Queries/Proxy VBScript Execution via CurrentVersion Registry Key.yaml",
"Hunting Queries/Rundll32 or cmd Executing Application from Explorer - Potential Malware Execution Chain.yaml"
],
"BasePath": "Solutions/Cyborg Security HUNTER",
"Version": "1.0.1",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
id: d7233f14-4705-403e-9db9-e0d677c9506b
name: Attempted VBScript Stored in Non-Run CurrentVersion Registry Key Value
description: |
'Identify potential new registry key name that is a non-autorun and non-run key in the HKLM\Software\Microsoft\Windows\CurrentVersion\ registry key containing VBScript in the key value value.'
requiredDataConnectors:
- connectorId: SecurityEvent
dataTypes:
- SecurityEvent
tactics:
- DefenseEvasion
relevantTechniques:
- T1112
query: |
SecurityEvent
| where ObjectName has "\\CurrentVersion"
| where ObjectName !has "\\Run"
| where NewValue contains "RunHTMLApplication" or
NewValue contains "vbscript" or
NewValue contains "jscript" or
NewValue contains "mshtml" or
NewValue contains "mshtml," or
NewValue contains "mshtml " or
NewValue contains "Execute(" or
NewValue contains "CreateObject" or
NewValue contains "RegRead" or
NewValue contains "window.close"
| project TimeGenerated, Computer, Process, ObjectName, ObjectValueName, NewValue, OldValue, SubjectUserName, NewProcessId, SourceComputerId
| order by TimeGenerated
version: 1.0.0
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
id: 6d1c9f13-e43e-4b52-a443-5799465d573b
name: Excessive Windows Discovery and Execution Processes - Potential Malware Installation
description: |
'Utilizes a list of commonly abused LOLB an attacker or malware would execute in quick succession. The presence of multiple executions of the programs within the list can be indicative of an infection or malicious activity occurring on a victim host.'
requiredDataConnectors:
- connectorId: SecurityEvent
dataTypes:
- SecurityEvent
tactics:
- Discovery
relevantTechniques:
- T1016
query: |
SecurityEvent
| where NewProcessName has_any (
"arp.exe",
"at.exe",
"attrib.exe",
"cscript.exe",
"dsquery.exe",
"hostname.exe",
"ipconfig.exe",
"mimikatz.exe",
"nbtstat.exe",
"net.exe",
"netsh.exe",
"nslookup.exe",
"ping.exe",
"quser.exe",
"qwinsta.exe",
"reg.exe",
"runas.exe",
"sc.exe",
"schtasks.exe",
"ssh.exe",
"systeminfo.exe",
"taskkill.exe",
"telnet.exe",
"tracert.exe",
"wscript.exe",
"xcopy.exe",
"pscp.exe",
"copy.exe",
"robocopy.exe",
"certutil.exe",
"vssadmin.exe",
"powershell.exe",
"wevtutil.exe",
"psexec.exe",
"bcedit.exe",
"wbadmin.exe",
"icacls.exe",
"diskpart.exe",
"ver.exe",
"netstat.exe",
"tasklist.exe",
"route.exe",
"driverquery.exe"
)
| summarize firstEvent=min(TimeGenerated), lastEvent=max(TimeGenerated), uniqueProcesses=dcount(NewProcessName), eventIds=make_set(tostring(EventID)), processPaths=make_set(NewProcessName), processCommandLines=make_set(CommandLine), parentProcessPaths=make_set(ParentProcessName), processIds=make_set(NewProcessId), parentprocessIds=make_set(ProcessId), eventData=make_set(EventData), count() by SourceComputerId, Computer| order by firstEvent
| where uniqueProcesses > 4
version: 1.0.0
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
id: 4894a60b-d2ee-4f24-be61-0d0c96a84e63
name: LSASS Memory Dumping using WerFault.exe - Command Identification
description: |
'Identifies WerFault.exe creating a memory dump of lsass.exe (Local Security Authority Subsystem Service, a process responsible for the enforcement of security policies on Windows systems, which generates and stores credentials in its process memory).'
requiredDataConnectors:
- connectorId: SecurityEvent
dataTypes:
- SecurityEvent
tactics:
- CredentialAccess
relevantTechniques:
- T1003
query: |
SecurityEvent
| where NewProcessName endswith "werfault.exe"
| where ObjectName endswith "lsass.exe"
| project NewProcessName, ObjectName
version: 1.0.0
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
id: 37cba0d1-8aa5-4f8f-bb26-25a45475ca9a
name: Metasploit / Impacket PsExec Process Creation Activity
description: |
'Meant to detect process creations containing names consistent with the schema used by Metasploit or Impacket's PsExec tool. Metasploit and Impacket's PsExec tooling is used by malicious actors for lateral movement & performing actions on remote systems.'
requiredDataConnectors:
- connectorId: SecurityEvent
dataTypes:
- SecurityEvent
tactics:
- Execution
relevantTechniques:
- T1569.002
query: |
SecurityEvent
| where ParentProcessName has "services.exe"
| where NewProcessName matches regex "C:\\\\Windows\\\\[a-zA-Z]{8}.exe"
| where EventID == "4688"
| project EventID, NewProcessName, CommandLine, Computer, ParentProcessName
version: 1.0.0
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
id: b194088b-c846-4c72-a4b7-933627878db4
name: Potential Maldoc Execution Chain Observed
description: |
'Detect the aftermath of a successfully delivered and executed maldoc (Microsoft Office). Indicates an Office document was opened from an email or download/link, spawned a suspicious execution, and attempted to execute code via common Windows binaries.'
requiredDataConnectors:
- connectorId: SecurityEvent
dataTypes:
- SecurityEvent
tactics:
- DefenseEvasion
- Execution
- InitialAccess
relevantTechniques:
- T1059
- T1059.001
- T1059.004
- T1059.005
- T1059.006
- T1059.007
- T1218.011
- T1566.001
- T1566.002
query: |
let officeProducts = dynamic(["WINWORD.EXE","EXCEL.EXE","POWERPNT.EXE","MSACCESS.EXE","VISIO.EXE","WINPROJ.EXE"]);
let executionMethods = dynamic(["powershell.exe","cmd.exe","WScript.exe","rundll32.exe","cscript.exe","wmic.exe","mshta.exe","msiexec.exe"]);
SecurityEvent
| where TimeGenerated >= ago(7d)
| where (NewProcessName has_any (officeProducts,"OUTLOOK.EXE","explorer.exe",executionMethods) or ParentProcessName has_any (officeProducts,"OUTLOOK","explorer",executionMethods))
| project TimeGenerated, Computer, Activity, EventID, CommandLine, NewProcessName, processId = tolong(NewProcessId), ParentProcessName, parentProcessId = tolong(ProcessId)
| extend sourceAppTrue=case(NewProcessName endswith "outlook.exe",1,
(ParentProcessName has_any("outlook.exe","explorer.exe") and NewProcessName has_any(officeProducts)),1,
0)
| extend officeAppTrue=case(NewProcessName has_any(officeProducts),1,
ParentProcessName has_any(officeProducts),1,
0)
| extend executionTrue=case(NewProcessName has_any(executionMethods),1,
ParentProcessName has_any(executionMethods),1,
0)
| summarize process=make_set(NewProcessName,10), processId=make_set(processId,10), parentProcess=make_set(ParentProcessName,10),parentProcessId=make_set(parentProcessId,10), sourceApp=sum(sourceAppTrue), officeApp=sum(officeAppTrue), execution=sum(executionTrue)
by Computer, bin(TimeGenerated,5m)
| where sourceApp > 0 and officeApp > 0 and execution > 0
version: 1.0.0
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
id: e186a8af-3d4a-4003-93b7-9b199e0b1dd1
name: PowerShell Pastebin Download
description: |
'Detects PowerShell commands downloading and execute code hosted on Pastebin and other services. This technique has been used by malicious actors to distribute malware, in particular it has been used by the EvilCorp Ransomware variants such as Sodinokibi.'
requiredDataConnectors:
- connectorId: SecurityEvent
dataTypes:
- SecurityEvent
tactics:
- CommandandControl
relevantTechniques:
- T1102
query: |
SecurityEvent
| where Process has "powershell.exe"
| where CommandLine contains "http"
| where CommandLine has_any (
"pastebin",
"github",
"ghostbin",
"githubusercontent",
"0bin",
"zerobin",
"privatebin",
"klgrth",
"termbin",
"hatebin",
"hastebin",
"dumpz"
) or CommandLine contains ".onion" or CommandLine contains "paste."
| project TimeGenerated, Computer, tostring(EventID), ParentProcessName, NewProcessName, CommandLine, SubjectUserName, SourceComputerId, processID=tolong(NewProcessId), parentProcessID=tolong(ProcessId), EventData| order by TimeGenerated
version: 1.0.0
Loading
Loading