Day to Day

Renamed Command Line Programs

event_platform=win event_simpleName=ProcessRollup2 ImageSubsystem_decimal=3 
| rename FileName as runningExe
| lookup local=true appinfo.csv SHA256HashData OUTPUT FileName FileDescription
| eval runningExe=lower(runningExe)
| eval FileName=lower(FileName)
| where runningExe!=FileName
| search FileName=cmd.exe
| stats dc(aid) as "System Count" count(aid) as "Execution Count" values(runningExe) as "File On Disk" values(FileName) as "Cloud File Name" values(FileDescription) as "File Description" by SHA256HashData

Mining Windows Command History for Artifacts

Video : Click Here Note : Open the Link in Personal Laotop Only

index=main sourcetype=CommandHistory* event_platform=win event_simpleName=CommandHistory
| rex field=CommandHistory ".*(?<passedURL>http(|s)\:\/\/.*\.(net|com|org|io)).*"
| where isnotnull(passedURL)
| fillnull ApplicationName value="powershell.exe"
| eval timestamp=timestamp/1000
| table timestamp ComputerName ApplicationName TargetProcessId_decimal passedURL CommandHistory 
| search ComputerName!=DESKTOP-ICAKMS8 AND passedURL!="*.crowdstrike.*" AND passedURL!="*.microsoft.*"
| convert ctime(timestamp)
| rename timestamp as Time, ComputerName as Endpoint, ApplicationName as "Responsible Application", TargetProcessId_decimal as "Falcon PID", passedURL as "URL Fragment", CommandHistory as "Complete Command Context"

Scheduled Searches, Failed User Logons, and Thresholds

index=main sourcetype=UserLogonFailed* event_platform=win event_simpleName=UserLogonFailed2 
| search LogonType_decimal IN (2, 7, 10, 13)
| where ComputerName=LogonDomain
| eval LogonType=case(LogonType_decimal="2", "Interactive", LogonType_dgecimal="7", "Unlock", LogonType_decimal="10", "RDP", LogonType_decimal="13", "Unlock Workstation")
| eval SubStatus_decimal=tostring(SubStatus_decimal,"hex")
| eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000064", "User name does not exist")
| eval SubStatus_decimal=replace(SubStatus_decimal,"0xC000006A", "User name is correct but the password is wrong")
| eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000234", "User is currently locked out")
| eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000072", "Account is currently disabled")
| eval SubStatus_decimal=replace(SubStatus_decimal,"0xC000006F", "User tried to logon outside his day of week or time of day restrictions")
| eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000070", "Workstation restriction, or Authentication Policy Silo violation (look for event ID 4820 on domain controller)")
| eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000193", "Account expiration")
| eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000071", "Expired password")
| eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000133", "Clocks between DC and other computer too far out of sync")
| eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000224", "User is required to change password at next logon")
| eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000225", "Evidently a bug in Windows and not a risk")
| eval SubStatus_decimal=replace(SubStatus_decimal,"0xc000015b", "The user has not been granted the requested logon type (aka logon right) at this machine")
| eval SubStatus_decimal=replace(SubStatus_decimal,"0xC000006E", "Unknown user name or bad password")
| stats values(ComputerName) as computerName, values(LocalAddressIP4) as localIPAddresses, count(aid) as failedLogonAttempts, dc(UserName) as credentialsUsed, values(UserName) as userNames, earliest(ContextTimeStamp_decimal) as firstFailedAttmpt, latest(ContextTimeStamp_decimal) as lastFailedAttempt, values(RemoteAddressIP4) as remoteIPAddresses, values(LogonType) as logonTypes, values(SubStatus_decimal) as failedLogonReasons by aid
| eval failedLoginsDeltaMinutes=round((lastFailedAttempt-firstFailedAttmpt)/60,0)
| eval failedLoginsDeltaSeconds=round((lastFailedAttempt-firstFailedAttmpt),2)
| where failedLogonAttempts>=5
| convert ctime(firstFailedAttmpt) ctime(lastFailedAttempt)
| sort -failedLogonAttempts

Mining EndOfProcess and Profiling Programs

(index=main sourcetype=EndOfProcess* event_platform=win event_simpleName=EndOfProcess ImageSubsystem_decimal=3) OR (index=main sourcetype=ProcessRollup2* event_platform=win event_simpleName=ProcessRollup2 ImageSubsystem_decimal=3)
| lookup local=true appinfo.csv SHA256HashData OUTPUT FileName as cloudFileName
| eval cloudFileName=lower(cloudFileName) 
| search cloudFileName=powershell.exe
| search event_simpleName=ProcessRollup2 OR (event_simpleName=EndOfProcess AND ScreenshotsTakenCount_decimal>0 OR (NewExecutableWrittenCount_decimal>=2 AND NewExecutableWrittenCount_decimal!=27 AND NewExecutableWrittenCount_decimal!=28))
| stats dc(event_simpleName) as eventCount, earliest(ProcessStartTime_decimal) as procStartTime, values(ComputerName) as computerName, values(UserName) as userName, values(UserSid_readable) as userSid, values(FileName) as fileName, values(cloudFileName) as cloudFileName, values(CommandLine) as cmdLine, values(ScreenshotsTakenCount_decimal) as screenShotsTaken, values(NewExecutableWrittenCount_decimal) as ExesWritten by aid, TargetProcessId_decimal
| where eventCount>1
| table aid, computerName, userSid, userName, TargetProcessId_decimal, fileName, cloudFileName, ExesWritten, screenShotsTaken, cmdLine
| rename TargetProcessId_decimal as falconPID

Auditing SSH connections being made to Linux Systems.

event_platform=lin event_simpleName=CriticalEnvironmentVariableChanged, EnvironmentVariableName IN (SSH_CONNECTION, USER) 
| eventstats list(EnvironmentVariableName) as EnvironmentVariableName,list(EnvironmentVariableValue) as EnvironmentVariableValue by aid, ContextProcessId_decimal
| eval tempData=mvzip(EnvironmentVariableName,EnvironmentVariableValue,":")
| rex field=tempData "SSH_CONNECTION\:((?<clientIP>\d+\.\d+\.\d+\.\d+)\s+(?<rPort>\d+)\s+(?<serverIP>\d+\.\d+\.\d+\.\d+)\s+(?<lPort>\d+))"
| rex field=tempData "USER\:(?<userName>.*)"
| where isnotnull(clientIP)
| iplocation clientIP
| lookup local=true aid_master aid OUTPUT Version as osVersion, Country as sshServerCountry
| fillnull City, Country, Region value="-"
| table _time aid ComputerName sshServerCountry osVersion serverIP lPort userName clientIP rPort City Region Country
| where isnotnull(userName)
| sort +ComputerName, +_time

Users accounts being added to groups on Windows hosts.

(index=main sourcetype=UserAccountAddedToGroup* event_platform=win event_simpleName=UserAccountAddedToGroup) OR (index=main sourcetype=ProcessRollup2* event_platform=win event_simpleName=ProcessRollup2)
| eval falconPID=coalesce(TargetProcessId_decimal, RpcClientProcessId_decimal)
| rename UserName as responsibleUserName
| rename UserSid_readable as responsibleUserSID
| eval GroupRid_dec=tonumber(ltrim(tostring(GroupRid), "0"), 16)
| eval UserRid_dec=tonumber(ltrim(tostring(UserRid), "0"), 16)
| eval UserSid_readable=DomainSid. "-" .UserRid_dec
| lookup local=true userinfo.csv UserSid_readable OUTPUT UserName
| lookup local=true grouprid_wingroup.csv GroupRid_dec OUTPUT WinGroup
| fillnull value="-" UserName responsibleUserName
| stats dc(event_simpleName) as eventCount, values(ProcessStartTime_decimal) as processStartTime, values(FileName) as responsibleFile, values(CommandLine) as responsibleCmdLine, values(responsibleUserSID) as responsibleUserSID, values(responsibleUserName) as responsibleUserName, values(WinGroup) as windowsGroupName, values(GroupRid_dec) as windowsGroupRID, values(UserName) as addedUserName, values(UserSid_readable) as addedUserSID by aid, falconPID
| where eventCount>1 
| eval ProcExplorer=case(falconPID!="","https://falcon.us-2.crowdstrike.com/investigate/process-explorer/" .aid. "/" . falconPID)
| convert ctime(processStartTime)
| table processStartTime, aid, responsibleUserSID, responsibleUserName, responsibleFile, responsibleCmdLine, addedUserSID, addedUserName, windowsGroupRID, windowsGroupName, ProcExplorer 

Hunting modification (ASEP modifications) of the Windows registry

event_platform=win event_simpleName IN (AsepValueUpdate, RegGenericValueUpdate) 
| search AuthenticationId_decimal=999
| search RegOperationType_decimal IN (2, 4)
| rename RegOperationType_decimal as RegOperationType, AsepClass_decimal as AsepClass
| lookup local=true RegOperation.csv RegOperationType OUTPUT RegOperationName
| lookup local=true AsepClass.csv AsepClass OUTPUT AsepClassName
| eval ProcExplorer=case(ContextProcessId_decimal!="","https://falcon.crowdstrike.com/investigate/process-explorer/" .aid. "/" . ContextProcessId_decimal)
| table aid, ComputerName, RegObjectName, RegValueName, AsepClassName, RegOperationName, ProcExplorer

Hunting Cluster Events by Process Lineage

event_platform=win event_simpleName=ProcessRollup2 FileName IN (whoami.exe, arp.exe, cmd.exe, net.exe, net1.exe, ipconfig.exe, route.exe, netstat.exe, nslookup.exe)
| stats dc(FileName) as fnameCount, earliest(ProcessStartTime_decimal) as firstRun, latest(ProcessStartTime_decimal) as lastRun, values(FileName) as filesRun, values(CommandLine) as cmdsRun by cid, aid, ComputerName, ParentBaseFileName, ParentProcessId_decimal
| where fnameCount > 3
| eval timeDelta=lastRun-firstRun
| where timeDelta < 600
| eval graphExplorer=case(ParentProcessId_decimal!="","https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:".aid.":".ParentProcessId_decimal)
| table cid, aid, ComputerName, ParentBaseFileName, filesRun, cmdsRun, timeDelta, graphExplorer 

Encrypted command line strings emanating from PowerShell.

//Grab all PowerShell execution events
 #event_simpleName=ProcessRollup2 event_platform=Win ImageFileName=/\powershell(_ise)?.exe/i 
//Look for command line flags that indicate an encoded command 
| CommandLine=/\s+-(e\s|enc|encodedcommand|encode)\s+/i 
//Group by command frequency 
| groupby([ParentBaseFileName, CommandLine], function=stats([count(aid, distinct=true, as="uniqueEndpointCount"), count(aid, as="executionCount")]), limit=max) 
//Setting prevalence threshold 
| uniqueEndpointCount < 3 
//Calculating the length of the encrypted command line 
| cmdLength := length("CommandLine") 
//Isolate Base64 String 
| CommandLine=/\s+-(e\s|enc|encodedcommand|encode)\s+(?\S+)/i 
//Get Entropy of Base64 String 
| b64Entroy := shannonEntropy("base64String") 
//Setting entropy threshold 
| b64Entroy > 3.5 
//Decode encoded command blob 
| decodedCommand := base64Decode(base64String, charset="UTF-16LE") 
//Outputting to table 
| table([ParentBaseFileName, uniqueEndpointCount, executionCount, cmdLength, b64Entroy, decodedCommand]) 
//Search for http or https in command line 
| decodedCommand=/https?/i

Linux UserLogon and FailedUserLogon Event Updates

Transforms Cheetsheat | convert ctime(LogonTime_decimal) as LogonTime, ctime(PasswordLastSet_decimal) as PasswordLastSet | eval LogonType=case(LogonType_decimal=2, "Interactive", LogonType_decimal=10, "Remote Interactive/SSH") | eval UserIsAdmin=case(UserIsAdmin_decimal=1, "Admin", UserIsAdmin_decimal=0, "Non-Admin")

Impossible Time to Travel

event_simpleName=UserLogon NOT RemoteIP IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1)
| iplocation RemoteIP 
| eval userID=coalesce(UserSid_readable, UID_decimal)
| eval stream1=mvzip(mvzip(mvzip(mvzip(mvzip(LogonTime_decimal, lat, ":::"), lon, ":::"), Country, ":::"), Region, ":::"), City, ":::")
| stats values(stream1) as stream2, dc(RemoteIP) as remoteIPCount by userID, UserName, event_platform
| where remoteIPCount > 1 
| fields userID UserName event_platform stream2
| mvexpand stream2
| eval stream1=split(stream2, ":::")
| eval LogonTime=mvindex(stream1, 0)
| eval lat=mvindex(stream1, 1)
| eval lon=mvindex(stream1, 2)
| eval country=mvindex(stream1, 3)
| eval region=mvindex(stream1, 4)
| eval city=mvindex(stream1, 5)
| sort - userID + LogonTime
| streamstats values(LogonTime) as previous_logon, values(lat) as previous_lat, values(lon) as previous_lon, values(country) as previous_country, values(region) as previous_region, values(city) as previous_city by userID UserName event_platform current=f window=1 reset_on_change=true
| fillnull value="Initial"
| eval timeDelta=round((LogonTime-previous_logon)/60/60,2)
| eval rlat1 = pi()*previous_lat/180, rlat2=pi()*lat/180, rlat = pi()*(lat-previous_lat)/180, rlon= pi()*(lon-previous_lon)/180
| eval a = sin(rlat/2) * sin(rlat/2) + cos(rlat1) * cos(rlat2) * sin(rlon/2) * sin(rlon/2) 
| eval c = 2 * atan2(sqrt(a), sqrt(1-a)) 
| eval distance = round((6371 * c),0)
| eval speed=round((distance/timeDelta),2) 
| fields - stream1 stream2 
| where previous_logon!="Initial" AND speed > 1234
| table event_platform UserName userID previous_logon previous_country previous_region previous_city LogonTime country region city distance timeDelta speed
| sort - speed
| convert ctime(previous_logon) ctime(LogonTime)
| rename event_platform as "Platform", UserName AS "User", userID AS "User ID", previous_logon AS "Logon", previous_country AS Country, previous_region AS "Region", previous_city AS City, LogonTime AS "Next Logon", country AS "Next Country", region AS "Next Region", city AS "Next City", distance AS Distance, timeDelta AS "Time Delta", speed AS "Required Speed (km\h)"

Successful Login Audit

event_platform=Lin event_simpleName IN (UserLogon) 
| iplocation RemoteAddressIP4
| convert ctime(LogonTime_decimal) as LogonTime, ctime(PasswordLastSet_decimal) as PasswordLastSet
| eval LogonType=case(LogonType_decimal=2, "Interactive", LogonType_decimal=10, "Remote Interactive/SSH")
| eval UserIsAdmin=case(UserIsAdmin_decimal=1, "Admin", UserIsAdmin_decimal=0, "Non-Admin")
| fillnull value="-" RemoteAddressIP4, Country, Region, City
| table aid, ComputerName, UserName, UID_decimal, PasswordLastSet, UserIsAdmin, LogonType, LogonTime, RemoteAddressIP4, Country, Region, City 
| sort 0 +ComputerName, LogonTime
| rename aid as "Agent ID", ComputerName as "Endpoint", UserName as "User", UID_decimal as "User ID", PasswordLastSet as "Password Last Set", UserIsAdmin as "Admin?", LogonType as "Logon Type", LogonTime as "Logon Time", RemoteAddressIP4 as "Remote IP", Country as "GeoIP Country", City as "GeoIP City", Region as "GeoIP Region"

The same username against a single or multiple systems the point of interest

event_platform=Lin event_simpleName IN (UserLogon, UserLogonFailed2) LogonType_decimal=10
| search NOT RemoteAddressIP4 IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1)
| iplocation RemoteAddressIP4
| stats count(aid) as loginAttempts, dc(aid) as totalSystemsTargeted, dc(RemoteAddressIP4) as remoteIPsInvolved, values(Country) as countriesInvolved, values(ComputerName) as computersTargeted by UserName
| sort - loginAttempts

The same remote IP address having more than one failed login attempt against the same username

event_platform=Lin event_simpleName IN (UserLogon, UserLogonFailed2) LogonType_decimal=10
| search NOT RemoteAddressIP4 IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1)
| iplocation RemoteAddressIP4
| stats count(aid) as loginAttempts, dc(aid) as totalSystemsTargeted, values(ComputerName) as computersTargeted by UserName, RemoteAddressIP4, Country, Region, City
| sort - loginAttempts

The same remote IP address having more than one failed login attempt

event_platform=Lin event_simpleName IN (UserLogon, UserLogonFailed2) LogonType_decimal=10
| search NOT RemoteAddressIP4 IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1)
| iplocation RemoteAddressIP4
| stats count(aid) as loginAttempts, dc(aid) as totalSystemsTargeted, values(ComputerName) as computersTargeted, values(UserName) as accountsTargeted by RemoteAddressIP4, Country, Region, City
| sort - loginAttempts

Microsoft Teams Credentials in the Clear

#event_simpleName=ProcessRollup2
| CommandLine=/(\/|\\)Microsoft(\/|\\)(Microsoft\s)?Teams(\/|\\)(Cookies|Local\s+Storage(\/|\\)leveldb)/i
| CommandLine=/Teams(\\|\/)(local\sstorage(\\|\/))?(?<teamsFile>(leveldb|cookies))/i
| groupBy([ParentBaseFileName, ImageFileName, teamsFile, CommandLine])

===================================================================================

Hunting modification (ASEP modifications) of the Windows registry The value 999 is associated with the SYSTEM user. Other common local user ID values (LUID) are below:

• INVALID_LUID (0)

• NETWORK_SERVICE (996)

• LOCAL_SERVICE (997)

• SYSTEM (999)