FireEye released a very interesting article regarding a third-party compromise of Solarwinds, the detections that are possible in Defender for Endpoint are listed below
DeviceEvents
<manifest schemaversion="4.31" binaryversion="9.20"> | |
<configuration> | |
<options> | |
<!-- Command-line only options --> | |
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
<option switch="t" name="DebugMode" argument="optional" noconfig="true" /> | |
<option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" /> |
# Paths that we've already excluded via AppLocker. | |
$exclusions = @() | |
# Paths to process. | |
$paths = @( | |
"C:\Windows" | |
) | |
# Setup log. | |
$log = "$PSScriptRoot\UserWritableLocations.log" |
<?xml version="1.0" encoding="UTF-8"?> | |
<opml version="1.0"> | |
<head> | |
<title>Olaf subscriptions in feedly Cloud</title> | |
</head> | |
<body> | |
<outline text="PublicFeeds" title="PublicFeeds"> | |
<outline type="rss" text="top scoring links : netsec" title="top scoring links : netsec" xmlUrl="http://www.reddit.com/r/netsec/top/.rss" htmlUrl="https://www.reddit.com/r/netsec/top/"/> | |
<outline type="rss" text="For [Blue|Purple] Teams in Cyber Defence" title="For [Blue|Purple] Teams in Cyber Defence" xmlUrl="https://www.reddit.com/r/blueteamsec.rss" htmlUrl="https://www.reddit.com/r/blueteamsec"/> |
FireEye released a very interesting article regarding a third-party compromise of Solarwinds, the detections that are possible in Defender for Endpoint are listed below
DeviceEvents
FireEye released a very interesting article regarding a third-party compromise of Solarwinds, the detections that are possible with Sysmon are listed below
index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7 ParentImage="C:\\Windows\System32\\svchost.exe" and ImageLoaded="*NetSetupSvc.dll"
<manifest schemaversion="4.50" binaryversion="13.0"> | |
<configuration> | |
<options> | |
<!-- Command-line only options --> | |
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
<option switch="z" name="ClipboardInstance" argument="required" noconfig="true" exclusive="true" /> | |
<option switch="t" name="DebugMode" argument="optional" noconfig="true" /> |
<manifest schemaversion="4.60" binaryversion="14.0"> | |
<configuration> | |
<options> | |
<!-- Command-line only options --> | |
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
<option switch="z" name="ClipboardInstance" argument="required" noconfig="true" exclusive="true" /> | |
<option switch="t" name="DebugMode" argument="optional" noconfig="true" /> |
CLSID,ClassName | |
{0000031A-0000-0000-C000-000000000046},CLSID | |
{0000002F-0000-0000-C000-000000000046},CLSID CLSID_RecordInfo | |
{00000100-0000-0010-8000-00AA006D2EA4},CLSID DAO.DBEngine.36 | |
{00000101-0000-0010-8000-00AA006D2EA4},CLSID DAO.PrivateDBEngine.36 | |
{00000103-0000-0010-8000-00AA006D2EA4},CLSID DAO.TableDef.36 | |
{00000104-0000-0010-8000-00AA006D2EA4},CLSID DAO.Field.36 | |
{00000105-0000-0010-8000-00AA006D2EA4},CLSID DAO.Index.36 | |
{00000106-0000-0010-8000-00AA006D2EA4},CLSID DAO.Group.36 | |
{00000107-0000-0010-8000-00AA006D2EA4},CLSID DAO.User.36 |
let serverlist=DeviceInfo | |
| where DeviceType != "Workstation" | |
| distinct DeviceId; | |
let suspiciousdrivers=DeviceImageLoadEvents | |
| where DeviceId in (serverlist) | |
| where FolderPath startswith @"c:\windows\system32\spool\drivers" | |
| distinct SHA1 | |
| invoke FileProfile(SHA1, 1000) | |
| where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid"; | |
suspiciousdrivers |
<Sysmon schemaversion="4.70"> | |
<EventFiltering> | |
<RuleGroup name="" groupRelation="or"> | |
<ProcessCreate onmatch="exclude"> | |
<Rule name="" groupRelation="and"> | |
<Image condition="is">/usr/bin/groups</Image> | |
<ParentImage condition="is">/usr/bin/bash</ParentImage> | |
</Rule> | |
<Rule name="" groupRelation="and"> | |
<Image condition="is">/usr/bin/locale-check</Image> |