Skip to content

Instantly share code, notes, and snippets.

View Castaldio86's full-sized avatar

Castaldio86

14 followers · 3 following
View GitHub Profile
@Castaldio86
Castaldio86 / DefendDefenderATP
Created March 3, 2020 22:29
DefendDefenderATP
DeviceRegistryEvents
| where * contains "\\SOFTWARE\\Policies\\Microsoft\\Windows Advanced Threat Protection" and
ActionType == "RegistryKeyDeleted" or
RegistryValueName == "OnboardingInfo" and RegistryValueData != PreviousRegistryValueData
@Castaldio86
Castaldio86 / [May 2020] Patch Tuesday RCE Hunt Query
Created May 13, 2020 11:37
let MayRCE = dynamic(["CVE-2020-0901","CVE-2020-1023","CVE-2020-1024","CVE-2020-1028","CVE-2020-1035","CVE-2020-1037","CVE-2020-1051","CVE-2020-1058","CVE-2020-1060","CVE-2020-1061","CVE-2020-1062","CVE-2020-1064","CVE-2020-1065","CVE-2020-1067","CVE-2020-1069","CVE-2020-1092","CVE-2020-1093","CVE-2020-1096","CVE-2020-1102","CVE-2020-1117","CVE-2020-1126","CVE-2020-1136","CVE-2020-1150","CVE-2020-1153","CVE-2020-1171","CVE-2020-1174","CVE-2020-1175","CVE-2020-1176","CVE-2020-1192"]);
DeviceTvmSoftwareInventoryVulnerabilities
| where CveId in (MayRCE)
| summarize CVECount = dcount(CveId) by DeviceName, OSPlatform
@Castaldio86
Castaldio86 / [June 2020] Patch Tuesday RCE Hunt Query
Created June 10, 2020 12:38
let JuneRCE = dynamic(["CVE-2020-1208","CVE-2020-1226","CVE-2020-1225","CVE-2020-1248","CVE-2020-1238","CVE-2020-1281","CVE-2020-1299","CVE-2020-1073","CVE-2020-1239","CVE-2020-1236","CVE-2020-1301","CVE-2020-1181","CVE-2020-1216","CVE-2020-1300","CVE-2020-1215","CVE-2020-1286","CVE-2020-1321","CVE-2020-1219","CVE-2020-1214","CVE-2020-1213","CVE-2020-1230","CVE-2020-1223","CVE-2020-1260"]);
DeviceTvmSoftwareInventoryVulnerabilities
| where CveId in (JuneRCE)
| summarize CVECount = dcount(CveId) by DeviceName, OSPlatform
@Castaldio86
Castaldio86 / KQL-MTP-TVM-Worklist
Created July 17, 2020 20:29
// Scoring for the CVEs
let Critical = int(40);
let High = int(10);
let Medium = int(3);
let Low = int(1);
let Informational = int(0);
// Determine OS Version based on MDATP ClientVersion
let OSInformation = (
DeviceInfo
| extend OperatingsystemType = case(ClientVersion hasprefix "10.3720.16299.2", "Windows Server",
@Castaldio86
Castaldio86 / KQL-MTP-Physical-Data-Exfiltration
Created July 17, 2020 21:16
// Set the amount of days to monitor
let StartTime = ago(7d);
// Create lists to categorize files based on their extension
let CertificateFileExtensions = dynamic([".crt",".cer",".ca-bundle",".p7b",".p7c",".p7s",".pem",".key",".keystore",".jks",".p12",".pfx",".pem"]);
let CompressedFileExtensions = dynamic([".7z",".arj",".deb",".pkg",".rar",".rpm",".gz",".z",".zip",".001",".002",".003",".004",".005",".006",".007",".008",".009",".010",".011",".012",".013",".014",".015",".016",".017",".018",".019",".020",".021",".022",".023",".024",".025",".026",".027",".028",".029",".030",".031",".032",".033",".034",".035",".036",".037",".038",".039",".040",".041",".042",".043",".044",".045",".046",".047",".048",".049",".050",".051",".052",".053",".054",".055",".056",".057",".058",".059",".060",".061",".062",".063",".064",".065",".066",".067",".068",".069",".070",".071",".072",".073",".074",".075",".076",".077",".078",".079",".080",".081",".082",".083",".084",".085",".086",".087",".088",".089",".090",".091",".092",".093",".094
@Castaldio86
Castaldio86 / KQL-MTP-Detection-Remote-Session
Created August 3, 2020 16:59
// How long to lookback
let lookBack_long = 30d;
// Timeframe for the series
let TimeFrame = 3h;
// Anomaly threshold
let AnomalyThreshold = 3;
// Distinct Device Threshold
let DeviceThreshold = 4;
DeviceLogonEvents
// Look for all events with the type Remote Interactive
@Castaldio86
Castaldio86 / Correlate Unfamiliar sign-in properties and atypical travel alerts
Created September 19, 2020 19:41
let TimeFrame = ago(1d);
let Alert1 =
SecurityAlert
| where TimeGenerated > TimeFrame
| where AlertName == "Unfamiliar sign-in properties"
| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).["User Account"])
| extend Alert1Time = TimeGenerated
| extend Alert1 = AlertName
| extend Alert1Severity = AlertSeverity
;
@Castaldio86
Castaldio86 / Sentinel-Render-SampleData
Created September 21, 2020 19:05
"2020-09-18","Grape",5,"Fabrikam Inc.",1713,
"2020-08-08","Mango",3,"Contoso Ltd.",2944,
"2020-09-17","Cherry",4,"WingTip Toys",1054,
"2020-08-11","Peach",2,"Northwind Traders",5271,
"2020-09-12","Peach",1,"Alpine Ski House",3619,
"2020-09-08","Peach",4,"Northwind Traders",4205,
"2020-08-13","Orange",5,"Alpine Ski House",882,
"2020-09-09","Peach",5,"Contoso Ltd.",3899,
"2020-08-13","Peach",2,"Alpine Ski House",4406,
"2020-08-14","Cherry",4,"Alpine Ski House",976,
@Castaldio86
Castaldio86 / KQL-O365-Forward-Detection
Created October 8, 2020 21:10
let Lookback = ago(90d);
let RuleTypes = dynamic([ "ForwardTo" , "ForwardAsAttachmentTo", "RedirectTo"]);
let AllOfficeActivity =
OfficeActivity
| where TimeGenerated > Lookback
| extend Parsed=parse_json(Parameters)
;
let Signins =
SigninLogs
| where TimeGenerated > Lookback
@Castaldio86
Castaldio86 / KQL-O365-ClientSide-Forwards
Created October 8, 2020 21:38
let Lookback_Long = ago(14d);
let Lookback_Short = ago(1h);
let AllSignins =
SigninLogs
| where TimeGenerated > Lookback_Long
| where ResultType == "0"
;
let Signins =
AllSignins
| summarize FirstSeen = min(TimeGenerated), LastObserved = max(TimeGenerated), Count = count() by IPAddress, UserPrincipalName, Location