Antonlovesdnb
Antonlovesdnb
/ WhiteChocolateMacademiaNut.xml
Last active
December 18, 2020 16:41
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Rule name="Chromium Incoming Network Connect" groupRelation="and"> | |
| <Initiated condition="is">false</Initiated> | |
| <SourceIp condition="contains any">127.0.0.1;0:0:0:0:0:0:0:1</SourceIp> | |
| </Rule> | |
| <Rule groupRelation="and" name="Suspicous ImageLoad-umpdc"> | |
| <!--https://strontic.github.io/xcyclopedia/library/umpdc.dll-EA034AD86D4E3364D11AC60C3DC8F78E.html --> | |
| <Image condition="excludes any">C:\Windows\;C:\Program</Image> | |
| <ImageLoaded condition="contains">umpdc.dll</ImageLoaded> | |
| </Rule> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //These are KQL queries that I'm playing with - not production ready, not tested in production, I am very new to KQL :) | |
| //I am using the Sysmon parser here: https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/Sysmon/Sysmon-v11.0.txt | |
| //Each query includes a description of what I was trying to accomplish | |
| //I want to get a list of distinct process guids, and then based off that, list the DLL's loaded by each Process - I want to use ProcessGuid rather than Image to seperate out ImageLoads by instance of a process - to view this enable the "Group Columns" feature and drag the Image field into the grey area | |
| Sysmon | |
| | where EventID == 7 | |
| | summarize dc_processguid=make_set(tostring(ProcessGuid)) by tostring(ImageLoaded), tostring((Image)) | |
| | summarize make_list(tostring(ImageLoaded)) by tostring((dc_processguid)),tostring(Image) | |
| | project Image, list_ImageLoaded |