Shivam Malaviya Shivammalaviya
Shivammalaviya
/ ScreenConnect Remote Access
Created
July 14, 2021 12:34
REvil threat actors typically utilize Cobalt Strike BEACON to establish their presence within an environment. In several instances we observed, they used the remote connection software ScreenConnect.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SecurityEvent | |
| | where EventID == 4688 | |
| | where (CommandLine contains 'e=Access&' and CommandLine contains 'y=Guest&' and CommandLine contains '&p=' and CommandLine contains '&c=' and CommandLine contains '&k=') | |
| | project TimeGenerated, Account, CommandLine,NewProcessName,Process,SubjectUserName |
Shivammalaviya
/ Outbound RDP Connections
Last active
July 15, 2021 20:12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DeviceNetworkEvents | |
| | where ((RemotePort == "3389" and RemotePort == 'true') | |
| and ((InitiatingProcessCommandLine !endswith @'\mstsc.exe' | |
| or InitiatingProcessCommandLine !endswith @'\RTSApp.exe' | |
| or InitiatingProcessCommandLine !endswith @'\RTS2App.exe' | |
| or InitiatingProcessCommandLine !endswith @'\RDCMan.exe' | |
| or InitiatingProcessCommandLine !endswith @'\ws_TunnelService.exe' | |
| or InitiatingProcessCommandLine !endswith @'\RSSensor.exe' | |
| or InitiatingProcessCommandLine !endswith @'\RemoteDesktopManagerFree.exe' | |
| or InitiatingProcessCommandLine !endswith @'\RemoteDesktopManager.exe' |
Shivammalaviya
/ RDP connection from Internet
Created
July 15, 2021 20:34
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DeviceNetworkEvents | |
| | where ((RemoteIP startswith '10.' | |
| or RemoteIP !startswith '192.168.' | |
| or RemoteIP !startswith '172.31' | |
| or RemoteIP !startswith '172.30.' | |
| or RemoteIP !startswith '172.29.' | |
| or RemoteIP !startswith '172.28.' | |
| or RemoteIP !startswith '172.27.' | |
| or RemoteIP !startswith '172.26.' | |
| or RemoteIP !startswith '172.25.' |
Shivammalaviya
/ VNC Remotely Control From Internet
Last active
July 15, 2021 20:36
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DeviceNetworkEvents | |
| | where ((ActionType == 'ConnectionSuccess' | |
| and (RemotePort == '5800' | |
| or RemotePort == '5801' | |
| or RemotePort == '5900' | |
| or RemotePort == '5901') | |
| and Protocol == 'tcp') and | |
| ((RemoteIP !startswith '10.' | |
| or RemoteIP !startswith '172.16.' | |
| or RemoteIP !startswith '172.17.' |
Shivammalaviya
/ 0 day MS security patches
Last active
July 18, 2021 11:31
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let MSzerodays = dynamic(["CVE-2021-31979", | |
| "CVE-2021-33771", | |
| "CVE-2021-34448"]); | |
| DeviceTvmSoftwareVulnerabilities | |
| |where CveId in (MSzerodays) | |
| |summarize Securitypatches= count(),make_set(CveId) by DeviceName,OSPlatform,KBID=RecommendedSecurityUpdateId |
Shivammalaviya
/ Chrome Zero Day
Created
July 19, 2021 09:07
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let Chromezeroday=dynamic(["lragir.org","armradio.org","asbares.com","armtimes.net","armlur.org","armenpress.org","hraparak.org","hetq.org","armtimes.org"]); | |
| DeviceNetworkEvents | |
| | where ActionType == "ConnectionSuccess" | |
| | where RemoteUrl in(Chromezeroday) |
Shivammalaviya
/ Windows Defender exclusions
Created
July 21, 2021 06:20
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DeviceRegistryEvents | |
| | where ((ActionType == "RegistryValueSet") and (RegistryKey startswith @"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths" | |
| or RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions" | |
| or RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes")) |
Shivammalaviya
/ Candiru Domains Detection
Created
July 21, 2021 07:43
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let CandiruDomains=dynamic(["indoprogress.co","pochtarossiy.info","kupony-rohlik.cz","armenpress.net","tehrantimes.org","yeni-safak.com","cyprusnet.tk","oiip.org","lwaeh-iteham-alasra.com","mbsmetoo.com","total-slovenia-news.net"]); | |
| DeviceNetworkEvents | |
| | where ActionType == "ConnectionSuccess" | |
| | where RemoteUrl in(CandiruDomains) |
Shivammalaviya
/ Attacks Targeting Pulse Secure Devices
Last active
July 22, 2021 16:48
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let SHA1Hash= dynamic(["2eca4cb00c32a1b8f32601e68080d517ceabf136", | |
| "67642856a2d26025f7482d2a7dec1e402fc152bb", | |
| "6c160643d92111c7ae95803913c311395d7d5b7c", | |
| "cc68a9c5ff57129e8b897d228e54807841f8ff67", | |
| "1e43bc7cde1c2ac7b0db7b74b3be47334171d410", | |
| "1f26ef302ebc881380aa227ddd8eaebdad54679f", | |
| "2f1eddf6af9284f6b6c0a8b14fc3e5986ee601c7", | |
| "620bfbc94296271c3c6d71b97a8b5486d63347b3", | |
| "763b3109f06abfce5528692ede685fd5ddab3fe2", | |
| "93471787f22bedc23c4d60508feffe7903ba5061", |
Shivammalaviya
/ Anydesk check up
Created
July 22, 2021 17:46
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Just saw Conti attack where they installed AnyDesk for remote access to then later launch the ransomware encrypting the machine including AnyDesk | |
| DeviceFileEvents | |
| | where FileName has_any ("Anydesk") | |
| | project Timestamp, DeviceName, FileName, ReportId, DeviceId |
OlderNewer