Castaldio86
Castaldio86
/ KQL-MTP-Hunt-Admins
Created
November 2, 2020 22:07
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let DC = DeviceNetworkEvents | |
| | where LocalPort == "88" | |
| | distinct DeviceId | |
| | extend Type = "DomainController" | |
| ; | |
| let SVR = DeviceInfo | |
| | where OSPlatform in ("WindowsServer2008R2","WindowsServer2019","WindowsServer2016","WindowsServer2012R2") and RegistryDeviceTag !contains "Domain Controllers" | |
| | distinct DeviceId | |
| | extend Type = "Server" | |
| ; |
Castaldio86
/ KQL-Detect-AV
Last active
November 2, 2020 20:17
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| emet_agent.exe | |
| emet_service.exe | |
| firesvc.exe | |
| firetray.exe | |
| hipsvc.exe | |
| mfevtps.exe | |
| mcafeefire.exe | |
| scan32.exe | |
| shstat.exe | |
| tbmon.exe |
Castaldio86
/ KQL-O365-ClientSide-Forwards
Created
October 8, 2020 21:38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let Lookback_Long = ago(14d); | |
| let Lookback_Short = ago(1h); | |
| let AllSignins = | |
| SigninLogs | |
| | where TimeGenerated > Lookback_Long | |
| | where ResultType == "0" | |
| ; | |
| let Signins = | |
| AllSignins | |
| | summarize FirstSeen = min(TimeGenerated), LastObserved = max(TimeGenerated), Count = count() by IPAddress, UserPrincipalName, Location |
Castaldio86
/ KQL-O365-Forward-Detection
Created
October 8, 2020 21:10
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let Lookback = ago(90d); | |
| let RuleTypes = dynamic([ "ForwardTo" , "ForwardAsAttachmentTo", "RedirectTo"]); | |
| let AllOfficeActivity = | |
| OfficeActivity | |
| | where TimeGenerated > Lookback | |
| | extend Parsed=parse_json(Parameters) | |
| ; | |
| let Signins = | |
| SigninLogs | |
| | where TimeGenerated > Lookback |
Castaldio86
/ Sentinel-Render-SampleData
Created
September 21, 2020 19:05
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "2020-09-18","Grape",5,"Fabrikam Inc.",1713, | |
| "2020-08-08","Mango",3,"Contoso Ltd.",2944, | |
| "2020-09-17","Cherry",4,"WingTip Toys",1054, | |
| "2020-08-11","Peach",2,"Northwind Traders",5271, | |
| "2020-09-12","Peach",1,"Alpine Ski House",3619, | |
| "2020-09-08","Peach",4,"Northwind Traders",4205, | |
| "2020-08-13","Orange",5,"Alpine Ski House",882, | |
| "2020-09-09","Peach",5,"Contoso Ltd.",3899, | |
| "2020-08-13","Peach",2,"Alpine Ski House",4406, | |
| "2020-08-14","Cherry",4,"Alpine Ski House",976, |
Castaldio86
/ Correlate Unfamiliar sign-in properties and atypical travel alerts
Created
September 19, 2020 19:41
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let TimeFrame = ago(1d); | |
| let Alert1 = | |
| SecurityAlert | |
| | where TimeGenerated > TimeFrame | |
| | where AlertName == "Unfamiliar sign-in properties" | |
| | extend UserPrincipalName = tostring(parse_json(ExtendedProperties).["User Account"]) | |
| | extend Alert1Time = TimeGenerated | |
| | extend Alert1 = AlertName | |
| | extend Alert1Severity = AlertSeverity | |
| ; |
Castaldio86
/ KQL-MTP-Detection-Remote-Session
Created
August 3, 2020 16:59
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // How long to lookback | |
| let lookBack_long = 30d; | |
| // Timeframe for the series | |
| let TimeFrame = 3h; | |
| // Anomaly threshold | |
| let AnomalyThreshold = 3; | |
| // Distinct Device Threshold | |
| let DeviceThreshold = 4; | |
| DeviceLogonEvents | |
| // Look for all events with the type Remote Interactive |
Castaldio86
/ KQL-MTP-Physical-Data-Exfiltration
Created
July 17, 2020 21:16
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Set the amount of days to monitor | |
| let StartTime = ago(7d); | |
| // Create lists to categorize files based on their extension | |
| let CertificateFileExtensions = dynamic([".crt",".cer",".ca-bundle",".p7b",".p7c",".p7s",".pem",".key",".keystore",".jks",".p12",".pfx",".pem"]); | |
| let CompressedFileExtensions = dynamic([".7z",".arj",".deb",".pkg",".rar",".rpm",".gz",".z",".zip",".001",".002",".003",".004",".005",".006",".007",".008",".009",".010",".011",".012",".013",".014",".015",".016",".017",".018",".019",".020",".021",".022",".023",".024",".025",".026",".027",".028",".029",".030",".031",".032",".033",".034",".035",".036",".037",".038",".039",".040",".041",".042",".043",".044",".045",".046",".047",".048",".049",".050",".051",".052",".053",".054",".055",".056",".057",".058",".059",".060",".061",".062",".063",".064",".065",".066",".067",".068",".069",".070",".071",".072",".073",".074",".075",".076",".077",".078",".079",".080",".081",".082",".083",".084",".085",".086",".087",".088",".089",".090",".091",".092",".093",".094 |
Castaldio86
/ KQL-MTP-TVM-Worklist
Created
July 17, 2020 20:29
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Scoring for the CVEs | |
| let Critical = int(40); | |
| let High = int(10); | |
| let Medium = int(3); | |
| let Low = int(1); | |
| let Informational = int(0); | |
| // Determine OS Version based on MDATP ClientVersion | |
| let OSInformation = ( | |
| DeviceInfo | |
| | extend OperatingsystemType = case(ClientVersion hasprefix "10.3720.16299.2", "Windows Server", |
Castaldio86
/ [June 2020] Patch Tuesday RCE Hunt Query
Created
June 10, 2020 12:38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let JuneRCE = dynamic(["CVE-2020-1208","CVE-2020-1226","CVE-2020-1225","CVE-2020-1248","CVE-2020-1238","CVE-2020-1281","CVE-2020-1299","CVE-2020-1073","CVE-2020-1239","CVE-2020-1236","CVE-2020-1301","CVE-2020-1181","CVE-2020-1216","CVE-2020-1300","CVE-2020-1215","CVE-2020-1286","CVE-2020-1321","CVE-2020-1219","CVE-2020-1214","CVE-2020-1213","CVE-2020-1230","CVE-2020-1223","CVE-2020-1260"]); | |
| DeviceTvmSoftwareInventoryVulnerabilities | |
| | where CveId in (JuneRCE) | |
| | summarize CVECount = dcount(CveId) by DeviceName, OSPlatform |
NewerOlder