Shivam Malaviya Shivammalaviya
Shivammalaviya
/ SolarWinds -CVE-2021-35211
Created
July 14, 2021 07:42
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //Check for network connections with SolarWInds IP's based on DeviceNetworkEvents | |
| let IPs = pack_array("98.176.196.89", "68.235.178.32", | |
| "208.113.35.58","144.34.179.162","97.77.97.58"); | |
| DeviceNetworkEvents | |
| | where RemotePort == 443 | |
| | where Protocol == "Tcp" and ActionType == "ConnectionSuccess" | |
| | where Timestamp > ago(7d) | |
| | where RemoteIP in(IPs) |
Shivammalaviya
/ 0 day MS security patches
Last active
July 18, 2021 11:31
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let MSzerodays = dynamic(["CVE-2021-31979", | |
| "CVE-2021-33771", | |
| "CVE-2021-34448"]); | |
| DeviceTvmSoftwareVulnerabilities | |
| |where CveId in (MSzerodays) | |
| |summarize Securitypatches= count(),make_set(CveId) by DeviceName,OSPlatform,KBID=RecommendedSecurityUpdateId |
Shivammalaviya
/ ScreenConnect Remote Access
Created
July 14, 2021 12:34
REvil threat actors typically utilize Cobalt Strike BEACON to establish their presence within an environment. In several instances we observed, they used the remote connection software ScreenConnect.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SecurityEvent | |
| | where EventID == 4688 | |
| | where (CommandLine contains 'e=Access&' and CommandLine contains 'y=Guest&' and CommandLine contains '&p=' and CommandLine contains '&c=' and CommandLine contains '&k=') | |
| | project TimeGenerated, Account, CommandLine,NewProcessName,Process,SubjectUserName |
Shivammalaviya
/ Reconnaissance activity detection
Last active
July 29, 2021 03:54
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DeviceProcessEvents | |
| | where Timestamp > ago(7d) | |
| | where (InitiatingProcessCommandLine == 'gpresult /z' | |
| or InitiatingProcessCommandLine == 'gpresult /v' | |
| or InitiatingProcessCommandLine == 'gpresult' | |
| or InitiatingProcessCommandLine == 'net view' | |
| or InitiatingProcessCommandLine == 'net view /domain' | |
| or InitiatingProcessCommandLine == 'netstat' | |
| or InitiatingProcessCommandLine == 'netstat -nab' | |
| or InitiatingProcessCommandLine == 'netstat -nao' |
Shivammalaviya
/ Vulnerability Scanning Tool Detection
Last active
July 28, 2021 03:57
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //Advrsaries can scan your system with some penetration tools | |
| union DeviceProcessEvents, DeviceFileEvents | |
| , DeviceNetworkEvents | |
| | where (InitiatingProcessFileName contains 'Nessus' | |
| or InitiatingProcessFileName contains 'Netsparker' | |
| or InitiatingProcessFileName contains 'curl' | |
| or InitiatingProcessFileName contains 'wget' | |
| or InitiatingProcessFileName contains 'dirbuster' | |
| or InitiatingProcessFileName contains 'hydra' |
Shivammalaviya
/ Outbound RDP Connections
Last active
July 15, 2021 20:12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DeviceNetworkEvents | |
| | where ((RemotePort == "3389" and RemotePort == 'true') | |
| and ((InitiatingProcessCommandLine !endswith @'\mstsc.exe' | |
| or InitiatingProcessCommandLine !endswith @'\RTSApp.exe' | |
| or InitiatingProcessCommandLine !endswith @'\RTS2App.exe' | |
| or InitiatingProcessCommandLine !endswith @'\RDCMan.exe' | |
| or InitiatingProcessCommandLine !endswith @'\ws_TunnelService.exe' | |
| or InitiatingProcessCommandLine !endswith @'\RSSensor.exe' | |
| or InitiatingProcessCommandLine !endswith @'\RemoteDesktopManagerFree.exe' | |
| or InitiatingProcessCommandLine !endswith @'\RemoteDesktopManager.exe' |
Shivammalaviya
/ VNC Remotely Control From Internet
Last active
July 15, 2021 20:36
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DeviceNetworkEvents | |
| | where ((ActionType == 'ConnectionSuccess' | |
| and (RemotePort == '5800' | |
| or RemotePort == '5801' | |
| or RemotePort == '5900' | |
| or RemotePort == '5901') | |
| and Protocol == 'tcp') and | |
| ((RemoteIP !startswith '10.' | |
| or RemoteIP !startswith '172.16.' | |
| or RemoteIP !startswith '172.17.' |
Shivammalaviya
/ RDP connection from Internet
Created
July 15, 2021 20:34
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DeviceNetworkEvents | |
| | where ((RemoteIP startswith '10.' | |
| or RemoteIP !startswith '192.168.' | |
| or RemoteIP !startswith '172.31' | |
| or RemoteIP !startswith '172.30.' | |
| or RemoteIP !startswith '172.29.' | |
| or RemoteIP !startswith '172.28.' | |
| or RemoteIP !startswith '172.27.' | |
| or RemoteIP !startswith '172.26.' | |
| or RemoteIP !startswith '172.25.' |
Shivammalaviya
/ Defender Exclusions Added
Last active
July 30, 2021 09:19
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SecurityEvent | |
| | where ((EventID == 5007) and (NewValue contains @'\Microsoft\Windows Defender\Exclusions')) |
Shivammalaviya
/ Chrome Zero Day
Created
July 19, 2021 09:07
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let Chromezeroday=dynamic(["lragir.org","armradio.org","asbares.com","armtimes.net","armlur.org","armenpress.org","hraparak.org","hetq.org","armtimes.org"]); | |
| DeviceNetworkEvents | |
| | where ActionType == "ConnectionSuccess" | |
| | where RemoteUrl in(Chromezeroday) |
OlderNewer