Last active
February 28, 2025 07:41
-
-
Save vikas891/624859aafed0d85ad88196a39410d101 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //Test Rule Logic 1 | |
| ObjectType = "process" | |
| AND SrcProcParentName = "w3wp.exe" | |
| AND SrcProcName In Contains Anycase ( "cmd.exe" , "powershell.exe" ) | |
| AND TgtProcName in Contains Anycase ( "ipconfig.exe" , "quser.exe" ) | |
| //Test Rule Logic 2 | |
| DeviceProcessEvents | |
| | where InitiatingProcessFileName has 'wsmprovhost.exe' | |
| | where FileName has 'whoami.exe' | |
| | where ProcessCommandLine has_any ('/priv','/groups') | |
| //Test Rule Logic 3 | |
| let GetProcessTree = DeviceProcessEvents | |
| | where ActionType == "ProcessCreated" | |
| | project DeviceId, InitiatingProcessCommandLine=ProcessCommandLine, InitiatingProcessId=ProcessId, InitiatingProcessFolderPath=FolderPath, InitiatingProcessFileName=FileName, InitiatingProcessSHA256=SHA256, GrandparentProcessCommandLine=InitiatingProcessCommandLine, GrandparentProcessId=InitiatingProcessId | |
| | join kind=leftouter ( DeviceProcessEvents | |
| | where ActionType == "ProcessCreated" | |
| | project DeviceId, GrandparentProcessCommandLine=ProcessCommandLine, GrandparentProcessId=ProcessId, GrandparentProcessFolderPath=FolderPath, GrandparentProcessFileName=FileName, GrandparentProcessSHA256=SHA256 | |
| ) on DeviceId, GrandparentProcessCommandLine, GrandparentProcessId; | |
| DeviceProcessEvents | |
| | where ActionType == "ProcessCreated" | |
| | where FileName =~ "nltest.exe" or ProcessVersionInfoOriginalFileName == "nltestrk.exe" | |
| | where ProcessCommandLine has "/dclist" | |
| | extend | |
| SubjectUser = strcat(AccountDomain, "/", AccountName), | |
| SubjectUserSid = AccountSid | |
| | project Timestamp, ReportId, DeviceId, DeviceName, ActionType, SubjectUser, SubjectUserSid, ProcessCommandLine, ProcessId, FolderPath, FileName, SHA256, IsProcessRemoteSession, ProcessRemoteSessionDeviceName, ProcessRemoteSessionIP, InitiatingProcessCommandLine, InitiatingProcessId | |
| | join kind=innerunique (GetProcessTree) on DeviceId, InitiatingProcessCommandLine, InitiatingProcessId | |
| | project-away *1, *2 | |
| | where not(GrandparentProcessFolderPath =~ @"c:\program files (x86)\site24x7onpremisepoller\networkplus\jre\bin\java.exe" and SubjectUser =~ "nt authority/system") // SOC-27723 | |
| | where not((InitiatingProcessFolderPath == @"C:\Program Files\Silverfort\Silverfort AD Adapter\SilverfortController.exe" or GrandparentProcessFolderPath == @"C:\Program Files\Silverfort\Silverfort AD Adapter\SilverfortADAdapter.exe") and SubjectUser == "nt authority/system")//SOC-28324 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment