Microsoft 365 - Bugfixes

.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_RegistryEvent.json

@@ -0,0 +1,200 @@
+{
+    "FunctionName": "_ASim_RegistryEvent",
+    "FunctionParameters": [
+          {
+          "Name": "disabled",
+          "Type": "bool",
+          "IsRequired": false
+          }
+    ],
+    "FunctionResultColumns": [
+        {
+          "Name": "TimeGenerated",
+          "Type": "datetime"
+        },
+        {
+          "Name": "_ResourceId",
+          "Type": "string"
+        },
+        {
+          "Name": "Type",
+          "Type": "string"
+        },
+        {
+          "Name": "EventType",
+          "Type": "string"
+        },
+        {
+          "Name": "EventProduct",
+          "Type": "string"
+        },
+        {
+          "Name": "EventProductVersion",
+          "Type": "string"
+        },
+        {
+          "Name": "EventCount",
+          "Type": "int"
+        },
+        {
+          "Name": "EventMessage",
+          "Type": "string"
+        },
+        {
+          "Name": "EventVendor",
+          "Type": "string"
+        },
+        {
+          "Name": "EventSchemaVersion",
+          "Type": "string"
+        },
+        {
+          "Name": "EventOriginalUid",
+          "Type": "string"
+        },
+        {
+          "Name": "EventOriginalType",
+          "Type": "string"
+        },
+        {
+          "Name": "EventStartTime",
+          "Type": "datetime"
+        },
+        {
+          "Name": "EventEndTime",
+          "Type": "datetime"
+        },
+        {
+          "Name": "EventReportUrl",
+          "Type": "string"
+        },
+        {
+          "Name": "AdditionalFields",
+          "Type": "dynamic"
+        },
+        {
+          "Name": "RegistryKey",
+          "Type": "string"
+        },
+        {
+          "Name": "RegistryValue",
+          "Type": "string"
+        },
+        {
+          "Name": "RegistryValueType",
+          "Type": "string"
+        },
+        {
+          "Name": "RegistryValueData",
+          "Type": "string"
+        },
+        {
+          "Name": "RegistryPreviousKey",
+          "Type": "string"
+        },
+        {
+          "Name": "RegistryPreviousValue",
+          "Type": "string"
+        },
+        {
+          "Name": "RegistryPreviousValueType",
+          "Type": "string"
+        },
+        {
+          "Name": "RegistryPreviousValueData",
+          "Type": "string"
+        },
+        {
+          "Name": "DvcId",
+          "Type": "string"
+        },
+        {
+          "Name": "DvcHostname",
+          "Type": "string"
+        },
+        {
+          "Name": "DvcDomain",
+          "Type": "string"
+        },
+        {
+          "Name": "DvcIpAddr",
+          "Type": "string"
+        },
+        {
+          "Name": "DvcOs",
+          "Type": "string"
+        },
+        {
+          "Name": "DvcOsVersion",
+          "Type": "string"
+        },
+        {
+          "Name": "DvcMacAddr",
+          "Type": "string"
+        },
+        {
+          "Name": "ActorUsername",
+          "Type": "string"
+        },
+        {
+          "Name": "ActorUsernameType",
+          "Type": "string"
+        },
+        {
+          "Name": "ActorUserId",
+          "Type": "string"
+        },
+        {
+          "Name": "ActorUserIdType",
+          "Type": "string"
+        },
+        {
+          "Name": "ActorSessionId",
+          "Type": "string"
+        },
+        {
+          "Name": "ActingProcessCommandLine",
+          "Type": "string"
+        },
+        {
+          "Name": "ActingProcessName",
+          "Type": "string"
+        },
+        {
+          "Name": "ActingProcessId",
+          "Type": "string"
+        },
+        {
+          "Name": "ActingProcessGuid",
+          "Type": "string"
+        },
+        {
+          "Name": "ParentProcessName",
+          "Type": "string"
+        },
+        {
+          "Name": "ParentProcessId",
+          "Type": "string"
+        },
+        {
+          "Name": "ParentProcessGuid",
+          "Type": "string"
+        },
+        {
+          "Name": "Dvc",
+          "Type": "string"
+        },
+        {
+          "Name": "User",
+          "Type": "string"
+        },
+        {
+          "Name": "Process",
+          "Type": "string"
+        },
+        {
+          "Name": "Username",
+          "Type": "string"
+        }
+      ]
+  }

.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json

@@ -2576,6 +2576,11 @@
     "templateName": "DetectPortMisuseByStaticThresholdHunting.yaml",
     "validationFailReason": "KQL validation is failing to validate schema since Watchlist custom columns are used being used in query. This is a known issue when using Watchlist"
   },
+  {
+    "id": "595aea5c-74c7-415b-8b12-10af1a338cdf",
+    "templateName": "FilesWithRansomwareExtensions.yaml",
+    "validationFailReason": "KQL validation is failing to validate schema since Watchlist custom columns are used being used in query. This is a known limitaion for validation."
+  },
   {
     "id": "320e7a40-d60e-4e07-9ef7-798f5383625d",
     "templateName": "AFD-Premium-WAF-XSSDetection.yaml",

Solutions/Malware Protection Essentials/Analytic Rules/BackupDeletionDetected.yaml

@@ -0,0 +1,94 @@
+id: 259de2c1-c546-4c6d-a17c-df639722f4d7
+name: Detect Malicious Usage of Recovery Tools to Delete Backup Files
+description: |
+  This analytic rule detects usage of recovery tools vssadmin, wbadmin, wmic and bcedit to delete backup files or change recovery configuration. Adversaries may use these tools to delete shadow copies and backup files to prevent recovery of files.
+  https://attack.mitre.org/techniques/T1490/
+severity: High
+status: Available 
+tags:
+  - Schema: _ASim_ProcessEvent
+    SchemaVersion: 0.1.4
+requiredDataConnectors:
+  - connectorId: CrowdStrikeFalconEndpointProtection
+    dataTypes: 
+      - CommonSecurityLog
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - SecurityAlert
+  - connectorId: SentinelOne
+    dataTypes:
+      - SentinelOne_CL
+  - connectorId: VMwareCarbonBlack
+    dataTypes:
+      - CarbonBlackNotifications_CL
+  - connectorId: CiscoSecureEndpoint
+    dataTypes:
+      - CiscoSecureEndpoint_CL
+  - connectorId: TrendMicroApexOne
+    dataTypes:
+      - TMApexOneEvent
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Impact
+relevantTechniques:
+  - T1490
+query: |
+  _ASim_ProcessEvent
+  | where TargetProcessFilename has_any ('vssadmin.exe', 'wbadmin.exe', 'wmic.exe')
+  | where CommandLine has_all ('delete', 'shadow')
+  | union isfuzzy=True 
+      (_ASim_ProcessEvent
+      | where TargetProcessFilename =~ 'bcedit.exe'
+      | where CommandLine has_all ('/set', 'recoveryenabled no')
+      )
+  | project
+      TimeGenerated,
+      DvcHostname,
+      DvcIpAddr,
+      DvcDomain,
+      TargetUsername,
+      TargetUsernameType,
+      TargetProcessName,
+      TargetProcessId,
+      CommandLine
+  | extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername)
+  | extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername)
+  | extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)
+  | extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: DvcHostname
+      - identifier: DnsDomain
+        columnName: DvcDomain
+      - identifier: NTDomain
+        columnName: NTDomain
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: DvcIpAddr
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: Username
+      - identifier: UPNSuffix
+        columnName: UPNSuffix
+      - identifier: NTDomain
+        columnName: NTDomain
+  - entityType: Process
+    fieldMappings:
+      - identifier: ProcessId
+        columnName: TargetProcessId
+      - identifier: CommandLine
+        columnName: CommandLine
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+alertDetailsOverride:
+  alertDisplayNameFormat: "Tool {{TargetProcessName}} used to delete backup files on {{DvcHostname}} by {{TargetUsername}}"
+  alertDescriptionFormat: "A system tool {{TargetProcessName}} ProcessId: ({{TargetProcessId}}) with {{CommandLine}} used to delete backup files."
+version: 1.0.0
+kind: Scheduled