Merge pull request #104 from makislev/master

Update github queries to use the new advanced hunting device schema
microsoft · Jan 5, 2020 · 5aa4bb9 · 5aa4bb9
2 parents 00dabae + d3d9374
commit 5aa4bb9
Show file tree

Hide file tree

Showing 60 changed files with 420 additions and 420 deletions.
diff --git a/Campaigns/APT Baby Shark.txt b/Campaigns/APT Baby Shark.txt
@@ -1,8 +1,8 @@
 // Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_babyshark.yml
 // Questions via Twitter: @janvonkirchheim 
-ProcessCreationEvents 
-| where EventTime > ago(7d)
+DeviceProcessEvents 
+| where Timestamp > ago(7d)
 | where ProcessCommandLine =~ @"reg query ""HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default""" 
  or ProcessCommandLine startswith "powershell.exe mshta.exe http"
  or ProcessCommandLine =~ "cmd.exe /c taskkill /im cmd.exe"
-| top 100 by EventTime desc
+| top 100 by Timestamp desc
diff --git a/Campaigns/APT29 thinktanks.txt b/Campaigns/APT29 thinktanks.txt
@@ -1,6 +1,6 @@
 // Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_apt29_thinktanks.yml
 // Questions via Twitter: @janvonkirchheim 
-ProcessCreationEvents 
-| where EventTime > ago(7d)
+DeviceProcessEvents 
+| where Timestamp > ago(7d)
 | where ProcessCommandLine has "-noni -ep bypass $"
-| top 100 by EventTime desc 
+| top 100 by Timestamp desc 
diff --git a/Campaigns/Abusing settingcontent-ms.txt b/Campaigns/Abusing settingcontent-ms.txt
@@ -1,9 +1,9 @@
 // Sample query that search for .settingcontent-ms that has been downloaded from the web
 // through Microsoft Edge, Internet Explorer, Google Chrome, Mozilla Firefox, Microsoft Outlook
 // For questions @MiladMSFT on Twitter or milad.aslaner@microsoft.com
-FileCreationEvents
+DeviceFileEvents
 | where InitiatingProcessFileName in~ ("browser_broker.exe", "chrome.exe", "iexplore.exe", "firefox.exe", "outlook.exe")
 | where FileName endswith ".settingcontent-ms"
 // The FileOrigin* columns are available only on Edge and Chrome and from Windows 10 version 1703
 // https://techcommunity.microsoft.com/t5/Threat-Intelligence/Hunting-tip-of-the-month-Browser-downloads/td-p/220454
-| project EventTime, ComputerName, FileName, FolderPath, FileOriginUrl, FileOriginReferrerUrl, FileOriginIP
+| project Timestamp, DeviceName, FileName, FolderPath, FileOriginUrl, FileOriginReferrerUrl, FileOriginIP
diff --git a/Campaigns/Bear Activity GTR 2019.txt b/Campaigns/Bear Activity GTR 2019.txt
@@ -1,7 +1,7 @@
 // Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_bear_activity_gtr19.yml
 // Questions via Twitter: @janvonkirchheim 
-ProcessCreationEvents 
-| where EventTime > ago(7d) 
+DeviceProcessEvents 
+| where Timestamp > ago(7d) 
 | where (FileName =~ "xcopy.exe" and ProcessCommandLine has @" /S /E /C /Q /H \") 
  or (FileName =~ "adexplorer.exe" and ProcessCommandLine has @" -snapshot """" c:\users\")
-| top 100 by EventTime desc
+| top 100 by Timestamp desc
diff --git a/Campaigns/Cloud Hopper.txt b/Campaigns/Cloud Hopper.txt
@@ -1,6 +1,6 @@
 // Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_cloudhopper.yml
 // Questions via Twitter: @janvonkirchheim 
-ProcessCreationEvents 
-| where EventTime > ago(7d)
+DeviceProcessEvents 
+| where Timestamp > ago(7d)
 | where FileName =~ @"cscript.exe" and ProcessCommandLine has ".vbs /shell "
-| top 100 by EventTime desc
+| top 100 by Timestamp desc
diff --git a/Campaigns/DofoilNameCoinServerTraffic.txt b/Campaigns/DofoilNameCoinServerTraffic.txt
@@ -1,10 +1,10 @@
 // This is a query to retrieve last 30 days network connections to known Dofoil NameCoin servers
 // The full article is available here: https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/
 
-NetworkCommunicationEvents 
+DeviceNetworkEvents 
 | where RemoteIP in (
  "139.59.208.246","130.255.73.90","31.3.135.232","52.174.55.168","185.121.177.177","185.121.177.53",
  "62.113.203.55","144.76.133.38","169.239.202.202","5.135.183.146","142.0.68.13","103.253.12.18",
  "62.112.8.85","69.164.196.21","107.150.40.234","162.211.64.20","217.12.210.54","89.18.27.34",
  "193.183.98.154","51.255.167.0","91.121.155.13","87.98.175.85","185.97.7.7")
-| project ComputerName, InitiatingProcessCreationTime, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort
+| project DeviceName, InitiatingProcessCreationTime, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort
diff --git a/Campaigns/Dragon Fly.txt b/Campaigns/Dragon Fly.txt
@@ -1,6 +1,6 @@
 // Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_dragonfly.yml
 // Questions via Twitter: @janvonkirchheim 
-ProcessCreationEvents 
-| where EventTime > ago(7d)
+DeviceProcessEvents 
+| where Timestamp > ago(7d)
 | where FileName =~ "crackmapexec.exe"
-| top 100 by EventTime desc
+| top 100 by Timestamp desc
diff --git a/Campaigns/Elise backdoor.txt b/Campaigns/Elise backdoor.txt
@@ -1,7 +1,7 @@
 // Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_elise.yml
 // Questions via Twitter: @janvonkirchheim 
-ProcessCreationEvents 
-| where EventTime > ago(7d)
+DeviceProcessEvents 
+| where Timestamp > ago(7d)
 | where (FolderPath =~ @"C:\Windows\SysWOW64\cmd.exe" and ProcessCommandLine has @"\Windows\Caches\NavShExt.dll") 
  or (ProcessCommandLine endswith @"\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting")
-| top 100 by EventTime desc
+| top 100 by Timestamp desc
diff --git a/Campaigns/Equation Group C2 Communication.txt b/Campaigns/Equation Group C2 Communication.txt
@@ -1,7 +1,7 @@
 // Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_equationgroup_c2.yml
 // Questions via Twitter: @janvonkirchheim 
-ProcessCreationEvents 
-| where EventTime > ago(7d)
+DeviceProcessEvents 
+| where Timestamp > ago(7d)
 | where (FolderPath endswith @"\rundll32.exe" and ProcessCommandLine endswith ",dll_u") 
  or ProcessCommandLine has " -export dll_u "
-| top 100 by EventTime desc
+| top 100 by Timestamp desc
diff --git a/Campaigns/Hurricane Panda activity.txt b/Campaigns/Hurricane Panda activity.txt
@@ -1,7 +1,7 @@
 // Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_hurricane_panda.yml
 // Questions via Twitter: @janvonkirchheim 
-ProcessCreationEvents 
-| where EventTime > ago(7d)
+DeviceProcessEvents 
+| where Timestamp > ago(7d)
 | where ProcessCommandLine endswith " localgroup administrators admin /add"
  or ProcessCommandLine has @"\Win64.exe"
-| top 100 by EventTime desc
+| top 100 by Timestamp desc
diff --git a/Campaigns/Judgement Panda exfil activity.txt b/Campaigns/Judgement Panda exfil activity.txt
@@ -1,7 +1,7 @@
 // Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_judgement_panda_gtr19.yml
 // Questions via Twitter: @janvonkirchheim
-ProcessCreationEvents
-| where EventTime > ago(7d)
+DeviceProcessEvents
+| where Timestamp > ago(7d)
 | where ProcessCommandLine has @"\ldifde.exe -f -n "
  or ProcessCommandLine has @"\7za.exe a 1.7z " 
  or ProcessCommandLine endswith @" eprod.ldf" 
@@ -11,4 +11,4 @@ ProcessCreationEvents
  or ProcessCommandLine has @"copy .\1.7z \" 
  or ProcessCommandLine has @"copy \client\c$\aaaa\" 
  or FolderPath == @"C:\Users\Public\7za.exe"
-| top 100 by EventTime desc
+| top 100 by Timestamp desc
diff --git a/Campaigns/MacOceanLotusBackdoor.txt b/Campaigns/MacOceanLotusBackdoor.txt
@@ -3,8 +3,8 @@
 // https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/ 
 //
 // OS platforms: Macintosh 
-ProcessCreationEvents
-| where EventTime > ago(14d)
+DeviceProcessEvents
+| where Timestamp > ago(14d)
 | where FileName in~ ("screenassistantd","spellagentd")
-| top 100 by EventTime 
+| top 100 by Timestamp 
 
diff --git a/Campaigns/MacOceanLotusDropper.txt b/Campaigns/MacOceanLotusDropper.txt
@@ -2,9 +2,9 @@
 // References:
 // https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/ 
 // OS Platforms: Macintosh
-ProcessCreationEvents
-| where EventTime > ago(14d)
+DeviceProcessEvents
+| where Timestamp > ago(14d)
 | where ProcessCommandLine contains "theme0" 
-| project EventTime, MachineId , ComputerName, AccountName , AccountSid , InitiatingProcessCommandLine , ProcessCommandLine 
-| top 100 by EventTime 
+| project Timestamp, DeviceId , DeviceName, AccountName , AccountSid , InitiatingProcessCommandLine , ProcessCommandLine 
+| top 100 by Timestamp 
 
diff --git a/Campaigns/OceanLotus registry activity.txt b/Campaigns/OceanLotus registry activity.txt
@@ -1,7 +1,7 @@
 // Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_oceanlotus_registry.yml
 // Questions via Twitter: @janvonkirchheim 
-RegistryEvents 
-| where EventTime > ago(7d)
+DeviceRegistryEvents 
+| where Timestamp > ago(7d)
 | where ActionType == "RegistryValueSet" 
 | where RegistryKey endswith @"\SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model" 
  or RegistryKey endswith @"\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\Application" 

diff --git a/Campaigns/apt sofacy zebrocy.txt b/Campaigns/apt sofacy zebrocy.txt
@@ -1,6 +1,6 @@
 // Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_sofacy_zebrocy.yml
 // Questions via Twitter: @janvonkirchheim
-ProcessCreationEvents
-| where EventTime > ago(7d)
+DeviceProcessEvents
+| where Timestamp > ago(7d)
 | where ProcessCommandLine endswith "cmd.exe /c SYSTEMINFO & TASKLIST"
-| top 100 by EventTime desc
+| top 100 by Timestamp desc
diff --git a/Campaigns/apt tropictrooper.txt b/Campaigns/apt tropictrooper.txt
@@ -1,6 +1,6 @@
 // Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_tropictrooper.yml
 // Questions via Twitter: @janvonkirchheim
-ProcessCreationEvents
-| where EventTime > ago(7d)
+DeviceProcessEvents
+| where Timestamp > ago(7d)
 | where ProcessCommandLine contains "abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc"
-| top 100 by EventTime desc
+| top 100 by Timestamp desc
diff --git a/Command and Control/Tor.txt b/Command and Control/Tor.txt
@@ -1,13 +1,13 @@
 // This query looks for Tor client, or for a common Tor plugin called Meek.
-// We query for active Tor connections, but could have alternatively looked for active Tor runs (ProcessCreateEvents) or Tor downloads (FileCreationEvents)
+// We query for active Tor connections, but could have alternatively looked for active Tor runs (ProcessCreateEvents) or Tor downloads (DeviceFileEvents)
 // To read more about this technique, see:
 // Tor: https://attack.mitre.org/wiki/Software/S0183#Techniques_Used
 // Meek plugin: https://attack.mitre.org/wiki/Software/S0175
 // Multi-hop proxy technique: https://attack.mitre.org/wiki/Technique/T1188
 // Tags: #Tor, #MultiHopProxy, #CnC
-NetworkCommunicationEvents 
-| where EventTime < ago(3d) and InitiatingProcessFileName in~ ("tor.exe", "meek-client.exe")
+DeviceNetworkEvents 
+| where Timestamp < ago(3d) and InitiatingProcessFileName in~ ("tor.exe", "meek-client.exe")
 // Returns MD5 hashes of files used by Tor, to enable you to block them.
 // We count how prevalent each file is (by machines) and show examples for some of them (up to 5 machine names per hash).
-| summarize MachineCount=dcount(ComputerName), MachineNames=makeset(ComputerName, 5) by InitiatingProcessMD5
+| summarize MachineCount=dcount(DeviceName), MachineNames=makeset(DeviceName, 5) by InitiatingProcessMD5
 | order by MachineCount desc
diff --git a/Delivery/Doc attachment with link to download.txt b/Delivery/Doc attachment with link to download.txt
@@ -5,42 +5,42 @@
 // Implementation comment #1: Matching events by time
 // Matching the 3 different events (saving attachment, clicking on link, downloading file) is done purely by time difference - so could sometimes link together unrelated events.
 // Doing a more exact lookup would create a much more complex query due to 
-// Implementation comment #2: Deduping FileCreationEvents
-// Oftentimes there are multiple FileCreationEvents for a single file - e.g. if the file keeps being appended into before being closed.
+// Implementation comment #2: Deduping DeviceFileEvents
+// Oftentimes there are multiple DeviceFileEvents for a single file - e.g. if the file keeps being appended into before being closed.
 // So, we query only for the last reported file state to ignore intermediate file states.
 // Explaining the underlying data:
 // BrowserLaunchedToOpenUrl event:
 // This query uses the BrowserLaunchedToOpenUrl event, that includes clicks on http:// or https:// links (clicks outside of browsers), or on .lnk files
 // For this event, RemoteUrl contains the opened URL.
 let minTimeRange = ago(7d);
 let wordLinks = 
- MiscEvents
+ DeviceEvents
  // Filter on click on links from WinWord
- | where EventTime > minTimeRange and ActionType == "BrowserLaunchedToOpenUrl" and isnotempty(RemoteUrl) and InitiatingProcessFileName =~ "winword.exe"
- | project ClickTime=EventTime, MachineId, ComputerName, ClickUrl=RemoteUrl;
+ | where Timestamp > minTimeRange and ActionType == "BrowserLaunchedToOpenUrl" and isnotempty(RemoteUrl) and InitiatingProcessFileName =~ "winword.exe"
+ | project ClickTime=Timestamp, DeviceId, DeviceName, ClickUrl=RemoteUrl;
 let docAttachments = 
- FileCreationEvents
- | where EventTime > minTimeRange 
+ DeviceFileEvents
+ | where Timestamp > minTimeRange 
  // Query for common document file extensions
  and (FileName endswith ".docx" or FileName endswith ".docm" or FileName endswith ".doc")
  // Query for files saved from email clients such as the Office Outlook app or the Windows Mail app
  and InitiatingProcessFileName in~ ("outlook.exe", "hxoutlook.exe")
- | summarize AttachmentSaveTime=min(EventTime) by AttachmentName=FileName, MachineId;
+ | summarize AttachmentSaveTime=min(Timestamp) by AttachmentName=FileName, DeviceId;
 let browserDownloads = 
- FileCreationEvents
- | where EventTime > minTimeRange 
+ DeviceFileEvents
+ | where Timestamp > minTimeRange 
  // Query for files created by common browsers
  and InitiatingProcessFileName in~ ("browser_broker.exe", "chrome.exe", "iexplore.exe", "firefox.exe")
  // Exclude JS files that are used for loading sites (but still query for JS files that are known to be downloaded)
  and not (FileName endswith ".js" and isempty(FileOriginUrl))
  // Further filter to exclude file extensions that are less indicative of an attack (when there were already previously a doc attachment that included a link)
  | where FileName !endswith ".partial" and FileName !endswith ".docx"
- | summarize (EventTime, SHA1) = argmax(EventTime, SHA1) by FileName, MachineId, FileOriginUrl;
+ | summarize (Timestamp, SHA1) = argmax(Timestamp, SHA1) by FileName, DeviceId, FileOriginUrl;
 // Perf tip: start the joins from the smallest table (put it on the left-most side of the joins)
 wordLinks
-| join kind= inner (docAttachments) on MachineId | where ClickTime - AttachmentSaveTime between (0min..3min)
-| join kind= inner (browserDownloads) on MachineId | where EventTime - ClickTime between (0min..3min) 
+| join kind= inner (docAttachments) on DeviceId | where ClickTime - AttachmentSaveTime between (0min..3min)
+| join kind= inner (browserDownloads) on DeviceId | where Timestamp - ClickTime between (0min..3min) 
 // Aggregating multiple "attachments" together - because oftentimes the same file is stored multiple times under different names
 | summarize Attachments=makeset(AttachmentName), AttachmentSaveTime=min(AttachmentSaveTime), ClickTime=min(ClickTime)
  by // Downloaded file details
- bin(EventTime, 1tick), FileName, FileOriginUrl, ClickUrl, SHA1, ComputerName, MachineId
+ bin(Timestamp, 1tick), FileName, FileOriginUrl, ClickUrl, SHA1, DeviceName, DeviceId
diff --git a/Delivery/Dropbox downloads linked from other site.txt b/Delivery/Dropbox downloads linked from other site.txt
@@ -3,9 +3,9 @@
 // Read more about download URL data and about this attack vector in this blog post:
 // https://techcommunity.microsoft.com/t5/Threat-Intelligence/Hunting-tip-of-the-month-Browser-downloads/td-p/220454
 // Tags: #DownloadUrl, #Referer, #Dropbox
-FileCreationEvents
+DeviceFileEvents
 | where 
- EventTime > ago(7d)
+ Timestamp > ago(7d)
  and FileOriginUrl startswith "https://dl.dropboxusercontent.com/"
  and isnotempty(FileOriginReferrerUrl)
  and FileOriginReferrerUrl !startswith "https://www.dropbox.com/" 

diff --git a/Delivery/Email link + download + SmartScreen warning.txt b/Delivery/Email link + download + SmartScreen warning.txt
@@ -4,29 +4,29 @@
 // Tags: #EmailLink, #BrowserDownload, #SmartScreen
 let smartscreenAppWarnings =
 // Query for SmartScreen warnings of unknown executed applications
- MiscEvents
+ DeviceEvents
  | where ActionType == "SmartScreenAppWarning"
- | project WarnTime=EventTime, ComputerName, WarnedFileName=FileName, WarnedSHA1=SHA1, ActivityId=extractjson("$.ActivityId", AdditionalFields, typeof(string))
+ | project WarnTime=Timestamp, DeviceName, WarnedFileName=FileName, WarnedSHA1=SHA1, ActivityId=extractjson("$.ActivityId", AdditionalFields, typeof(string))
  // Select only warnings that the user has decided to ignore and has executed the app.
  | join kind=leftsemi (
- MiscEvents
+ DeviceEvents
  | where ActionType == "SmartScreenUserOverride"
- | project ComputerName, ActivityId=extractjson("$.ActivityId", AdditionalFields, typeof(string)))
- on ComputerName, ActivityId
+ | project DeviceName, ActivityId=extractjson("$.ActivityId", AdditionalFields, typeof(string)))
+ on DeviceName, ActivityId
  | project-away ActivityId;
 // Query for links opened from outlook, that are close in time to a SmartScreen warning
 let emailLinksNearSmartScreenWarnings =
- MiscEvents
+ DeviceEvents
  | where ActionType == "BrowserLaunchedToOpenUrl" and isnotempty(RemoteUrl) and InitiatingProcessFileName =~ "outlook.exe"
  | extend WasOutlookSafeLink=(tostring(parse_url(RemoteUrl).Host) endswith "safelinks.protection.outlook.com")
- | project ComputerName, MailLinkTime=EventTime,
+ | project DeviceName, MailLinkTime=Timestamp,
  MailLink=iff(WasOutlookSafeLink, url_decode(tostring(parse_url(RemoteUrl)["Query Parameters"]["url"])), RemoteUrl)
- | join kind=inner smartscreenAppWarnings on ComputerName | where (WarnTime-MailLinkTime) between (0min..4min);
+ | join kind=inner smartscreenAppWarnings on DeviceName | where (WarnTime-MailLinkTime) between (0min..4min);
 // Add the browser download event to tie in all the dots
-FileCreationEvents
+DeviceFileEvents
 | where isnotempty(FileOriginUrl) and InitiatingProcessFileName in~ ("chrome.exe", "browser_broker.exe")
-| project FileName, FileOriginUrl, FileOriginReferrerUrl, ComputerName, EventTime, SHA1
-| join kind=inner emailLinksNearSmartScreenWarnings on ComputerName
-| where (EventTime-MailLinkTime) between (0min..3min) and (WarnTime-EventTime) between (0min..1min)
-| project FileName, MailLink, FileOriginUrl, FileOriginReferrerUrl, WarnedFileName, ComputerName, SHA1, WarnedSHA1, EventTime
+| project FileName, FileOriginUrl, FileOriginReferrerUrl, DeviceName, Timestamp, SHA1
+| join kind=inner emailLinksNearSmartScreenWarnings on DeviceName
+| where (Timestamp-MailLinkTime) between (0min..3min) and (WarnTime-Timestamp) between (0min..1min)
+| project FileName, MailLink, FileOriginUrl, FileOriginReferrerUrl, WarnedFileName, DeviceName, SHA1, WarnedSHA1, Timestamp
 | distinct *