MITRE ATT&CK Navigator
Copy path to: report_navigator.json
(Use in “Open Existing Layer”)
MITRE ATT&CK Navigator
Copy path to: report_navigator.json
(Use in “Open Existing Layer”)
| Rule Overview: Rule Count: 3 Disabled Rules: 1 NRT Rules: 0 Built from templates: 0 🔍 Filter by Text/Regex |
Severity Breakdown: ⚪ Informational: 1 🟠 Low: 1 🟡 Medium: 0 🔴 High: 1 Visible Rules: 3 |
3 Rules |
Search terms:
|
This page is a sample of the output generated by the AllKQLtoHTML PowerShell utility.The Sentinel rules on this page were designed by me and are free to use in your own environment. All three have proven to be very effective in providing security protection in multiple corporate environments. |
| Rule Name | Query Logic | Properties |
|---|---|---|
| Curl downloading a script file Captures curl activity that involves downloaded executable script files, which is unusual in any corporate environment. Enabled: ✅ true Severity: 🔴 High |
// Curl dowloading a script file. let ScriptRegex = @"\.(?i)(PS[DM]?1|BAT|CMD|VB[ES]|JSE?|WS[FH]|HTA|PY|RB|P1|(BA|K|Z)?SH|PHP)(\W|$)"; union(SecurityEvent | where EventID == 4688 and (NewProcessName endswith @"\curl.exe" or CommandLine has "curl ") and CommandLine matches regex ScriptRegex | project TimeGenerated, Device = Computer, Account = SubjectUserName, ParentProcess = ParentProcessName, Process = NewProcessName, CommandLine = CommandLine, Source = "SecurityEvent"), (DeviceProcessEvents | where (FileName == "curl.exe" or ProcessCommandLine has "curl ") and ProcessCommandLine matches regex ScriptRegex | project TimeGenerated, Device = DeviceName, Account = AccountName, ParentProcess = InitiatingProcessParentFileName, Process = FileName, CommandLine = ProcessCommandLine, Source = "DeviceProcessEvents") | order by TimeGenerated desc |
queryFrequency : PT1H
queryPeriod : PT1H
triggerOperator : GreaterThan
triggerThreshold : 0
suppressionDuration : PT5H
suppressionEnabled : False
startTimeUtc :
tactics : CommandAndControl, Execution
techniques : T1059, T1204
subTechniques : T1204.002, T1059.001, T1059.003, T1059.004, T1059.005, T1059.006, T1059.007
alertRuleTemplateName :
incidentConfiguration : {"createIncident":true,"groupingConfiguration":{"enabled":false,"reopenClosedIncident":false,"lookbackDuration":"PT5H","matchingMethod":"AllEntities","groupByEntities":[],"groupByAlertDetails":[],"groupByCustomDetails":[]}}
eventGroupingSettings : {"aggregationKind":"SingleAlert"}
alertDetailsOverride :
customDetails :
entityMappings : @{entityType=Account; fieldMappings=System.Object[]}, @{entityType=File; fieldMappings=System.Object[]}, @{entityType=Process; fieldMappings=System.Object[]}
sentinelEntitiesMappings :
id : [concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/REDACTED')]
kind : Scheduled
|
| Multiple network discovery commands run in a short period of time Detects multiple LOLBin and PowerShell commands that attackers frequently use to perform reconnaissance on a network. Enabled: ❌ false (Disabled) Severity: 🟠 Low |
// Detect multiple network discovery commands run on a single host, by a single user, within a short period of time; excludes common legitimate patterns and system account activity.
let TimeWindow = 10m;
let DiscoveryTools = dynamic(["net.exe", "net1.exe", "ipconfig.exe", "hostname.exe", "whoami.exe", "nltest.exe", "nbtstat.exe", "arp.exe", "route.exe", "quser.exe", "query.exe", "qwinsta.exe", "ping.exe", "tracert.exe", "netsh.exe", "dsquery.exe", "dsget.exe", "wmic.exe", "nslookup.exe", "whois.exe"]);
let PowerShellDiscoveryTerms = dynamic(["get-netipconfiguration", "get-netipaddress", "get-netroute", "get-nettcpconnection", "get-netneighbor", "get-netadapter", "get-dnsclientserveraddress", "resolve-dnsname", "test-connection", "get-adcomputer", "get-aduser", "get-addomain", "get-adforest", "get-smbconnection", "get-smbshare", "get-localgroup", "get-localuser", "get-ciminstance win32_networkadapterconfiguration"]);
let Security4688 = SecurityEvent
| where EventID == 4688
| extend ProcessName = tolower(tostring(NewProcessName)), CommandLine = tolower(tostring(CommandLine)), Account = strcat(SubjectDomainName, "\\", SubjectUserName), Device = Computer;
let MDEProcess = DeviceProcessEvents
| extend ProcessName = tolower(tostring(FileName)), CommandLine = tolower(tostring(ProcessCommandLine)), Account = tostring(InitiatingProcessAccountName), Device = DeviceName;
let AllProcesses = union isfuzzy=true Security4688, MDEProcess
| extend NormalizedProcess = case(ProcessName endswith "net1.exe", "net.exe", ProcessName)
| project TimeGenerated, Device, Account, NormalizedProcess, CommandLine;
let DiscoveryEvents = AllProcesses
| where NormalizedProcess in (DiscoveryTools) or (NormalizedProcess in ("powershell.exe","powershell_ise.exe", "pwsh.exe") and CommandLine has_any (PowerShellDiscoveryTerms))
| extend DiscoveryTechnique = case(NormalizedProcess in ("powershell.exe","powershell_ise.exe", "pwsh.exe"), "PowerShell", NormalizedProcess);
DiscoveryEvents
| summarize DiscoveryCount = dcount(DiscoveryTechnique), ToolsUsed = array_sort_asc(make_set(DiscoveryTechnique)), Commands = make_set(CommandLine) by Device, Account, bin(TimeGenerated, TimeWindow)
| where not (set_has_element(ToolsUsed, "net.exe") and set_has_element(ToolsUsed, "ipconfig.exe") and set_has_element(ToolsUsed, "netsh.exe") and array_length(ToolsUsed) == 3) // Not necessary if DiscoveryCount set to 4 or higher.
| where DiscoveryCount > 3 and not (Account == "system" or Account endswith "$")
| sort by TimeGenerated desc |
queryFrequency : PT1H
queryPeriod : PT1H
triggerOperator : GreaterThan
triggerThreshold : 0
suppressionDuration : PT5H
suppressionEnabled : False
startTimeUtc :
tactics : Discovery
techniques : T1082, T1016, T1049, T1018, T1069, T1033
subTechniques : T1069.001
alertRuleTemplateName :
incidentConfiguration : {"createIncident":true,"groupingConfiguration":{"enabled":false,"reopenClosedIncident":false,"lookbackDuration":"PT5H","matchingMethod":"AllEntities","groupByEntities":[],"groupByAlertDetails":[],"groupByCustomDetails":[]}}
eventGroupingSettings : {"aggregationKind":"SingleAlert"}
alertDetailsOverride : {"alertDynamicProperties":[]}
customDetails :
entityMappings : @{entityType=Account; fieldMappings=System.Object[]}, @{entityType=Host; fieldMappings=System.Object[]}
sentinelEntitiesMappings :
id : [concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/REDACTED')]
kind : Scheduled
|
| Suspicious Remote Access Tool activity Detects any of several known legitimate remote access applications making successful remote port connections. Enabled: ✅ true Severity: ⚪ Informational |
let RemoteAccessExecutables = dynamic(["aeroadmin.exe", "agent.exe", "agentmon.exe", "ammyy.exe", "anyconnect.exe", "anydesk.exe", "assist.exe", "ateraagent.exe", "beyondtrust.exe", "bomgar.exe", "chrome-remote-desktop.exe",
"citrix.exe", "client.exe", "connectwise.exe", "control.exe", "deskreen.exe", "dwagent.exe", "dwrcc.exe", "dwrcs.exe", "forticlient.exe", "getsupport.exe", "globalprotect.exe", "go2assist.exe", "isllight.exe", "kaseya.exe",
"liteviewer.exe", "logmein.exe", "meshagent.exe", "msra.exe", "ncentral.exe", "nomachine.exe", "nxplayer.exe", "openvpn.exe", "parsec.exe", "pcvisit.exe", "pulse.exe", "pulseway.exe", "quickassist.exe", "rdclient.exe",
"rdpclip.exe", "realvnc.exe", "receiver.exe", "remoteassist.exe", "remotedesktopmanager.exe", "remotepc.exe", "remoteutilities.exe", "remoteviewer.exe", "rmmagent.exe", "rustdesk.exe", "rutserv.exe", "rutview.exe",
"screenconnect.exe", "showmypc.exe", "softether.exe", "splashtop.exe", "supremo.exe", "syncro.exe", "teamviewer.exe", "teamviewer_service.exe", "termsrv.exe", "tscon.exe", "tvnserver.exe", "ultravnc.exe", "viewer.exe",
"vmconnect.exe", "vncviewer.exe", "wg.exe", "winvnc.exe", "wireguard.exe", "workspacesapp.exe", "zohoassist.exe"]);
let CommonRemoteAccessTools = dynamic (["msrdc.exe", "mstsc.exe", "powershell.exe", "psexec.exe", "putty.exe", "pwsh.exe", "scp.exe", "sftp.exe", "ssh.exe", "sshd.exe", "telnet.exe", "winrm.cmd", "winrs.exe", "winrshost.exe",
"winscp.exe", "wmic.exe", "msra.exe", "plink.exe"]);
let PrivilegedAccounts = _GetWatchlist('Privileged_Accounts') | project Account = tolower(SearchKey);
DeviceNetworkEvents
| where ActionType == "ConnectionSuccess" and isnotempty(RemotePort) and (InitiatingProcessFileName in (RemoteAccessExecutables) or (InitiatingProcessFileName in (CommonRemoteAccessTools) and not(InitiatingProcessAccountName in ("system", "local service", "network service") or InitiatingProcessAccountName endswith "$")))
| where InitiatingProcessAccountName !in (PrivilegedAccounts)
| project TimeGenerated, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, InitiatingProcessAccountName |
queryFrequency : PT1H
queryPeriod : PT1H
triggerOperator : GreaterThan
triggerThreshold : 0
suppressionDuration : PT5H
suppressionEnabled : False
startTimeUtc :
tactics : CommandAndControl
techniques : T1219
subTechniques :
alertRuleTemplateName :
incidentConfiguration : {"createIncident":true,"groupingConfiguration":{"enabled":false,"reopenClosedIncident":false,"lookbackDuration":"PT5H","matchingMethod":"AllEntities","groupByEntities":[],"groupByAlertDetails":[],"groupByCustomDetails":[]}}
eventGroupingSettings : {"aggregationKind":"SingleAlert"}
alertDetailsOverride :
customDetails :
entityMappings : @{entityType=Account; fieldMappings=System.Object[]}, @{entityType=File; fieldMappings=System.Object[]}
sentinelEntitiesMappings :
id : [concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/REDACTED')]
kind : Scheduled
|