This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//Check for network connections with SolarWInds IP's based on DeviceNetworkEvents | |
let IPs = pack_array("98.176.196.89", "68.235.178.32", | |
"208.113.35.58","144.34.179.162","97.77.97.58"); | |
DeviceNetworkEvents | |
| where RemotePort == 443 | |
| where Protocol == "Tcp" and ActionType == "ConnectionSuccess" | |
| where Timestamp > ago(7d) | |
| where RemoteIP in(IPs) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
let MSzerodays = dynamic(["CVE-2021-31979", | |
"CVE-2021-33771", | |
"CVE-2021-34448"]); | |
DeviceTvmSoftwareVulnerabilities | |
|where CveId in (MSzerodays) | |
|summarize Securitypatches= count(),make_set(CveId) by DeviceName,OSPlatform,KBID=RecommendedSecurityUpdateId |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SecurityEvent | |
| where EventID == 4688 | |
| where (CommandLine contains 'e=Access&' and CommandLine contains 'y=Guest&' and CommandLine contains '&p=' and CommandLine contains '&c=' and CommandLine contains '&k=') | |
| project TimeGenerated, Account, CommandLine,NewProcessName,Process,SubjectUserName |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
DeviceProcessEvents | |
| where Timestamp > ago(7d) | |
| where (InitiatingProcessCommandLine == 'gpresult /z' | |
or InitiatingProcessCommandLine == 'gpresult /v' | |
or InitiatingProcessCommandLine == 'gpresult' | |
or InitiatingProcessCommandLine == 'net view' | |
or InitiatingProcessCommandLine == 'net view /domain' | |
or InitiatingProcessCommandLine == 'netstat' | |
or InitiatingProcessCommandLine == 'netstat -nab' | |
or InitiatingProcessCommandLine == 'netstat -nao' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//Advrsaries can scan your system with some penetration tools | |
union DeviceProcessEvents, DeviceFileEvents | |
, DeviceNetworkEvents | |
| where (InitiatingProcessFileName contains 'Nessus' | |
or InitiatingProcessFileName contains 'Netsparker' | |
or InitiatingProcessFileName contains 'curl' | |
or InitiatingProcessFileName contains 'wget' | |
or InitiatingProcessFileName contains 'dirbuster' | |
or InitiatingProcessFileName contains 'hydra' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
DeviceNetworkEvents | |
| where ((RemotePort == "3389" and RemotePort == 'true') | |
and ((InitiatingProcessCommandLine !endswith @'\mstsc.exe' | |
or InitiatingProcessCommandLine !endswith @'\RTSApp.exe' | |
or InitiatingProcessCommandLine !endswith @'\RTS2App.exe' | |
or InitiatingProcessCommandLine !endswith @'\RDCMan.exe' | |
or InitiatingProcessCommandLine !endswith @'\ws_TunnelService.exe' | |
or InitiatingProcessCommandLine !endswith @'\RSSensor.exe' | |
or InitiatingProcessCommandLine !endswith @'\RemoteDesktopManagerFree.exe' | |
or InitiatingProcessCommandLine !endswith @'\RemoteDesktopManager.exe' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
DeviceNetworkEvents | |
| where ((ActionType == 'ConnectionSuccess' | |
and (RemotePort == '5800' | |
or RemotePort == '5801' | |
or RemotePort == '5900' | |
or RemotePort == '5901') | |
and Protocol == 'tcp') and | |
((RemoteIP !startswith '10.' | |
or RemoteIP !startswith '172.16.' | |
or RemoteIP !startswith '172.17.' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
DeviceNetworkEvents | |
| where ((RemoteIP startswith '10.' | |
or RemoteIP !startswith '192.168.' | |
or RemoteIP !startswith '172.31' | |
or RemoteIP !startswith '172.30.' | |
or RemoteIP !startswith '172.29.' | |
or RemoteIP !startswith '172.28.' | |
or RemoteIP !startswith '172.27.' | |
or RemoteIP !startswith '172.26.' | |
or RemoteIP !startswith '172.25.' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SecurityEvent | |
| where ((EventID == 5007) and (NewValue contains @'\Microsoft\Windows Defender\Exclusions')) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
let Chromezeroday=dynamic(["lragir.org","armradio.org","asbares.com","armtimes.net","armlur.org","armenpress.org","hraparak.org","hetq.org","armtimes.org"]); | |
DeviceNetworkEvents | |
| where ActionType == "ConnectionSuccess" | |
| where RemoteUrl in(Chromezeroday) |
OlderNewer