KQL
#chinese
DeviceEvents
| where ActionType == "ProcessCreate"
| where (ProcessCommandLine contains "certutil" or ProcessCommandLine contains "ntdsutil" or ProcessCommandLine contains "xcopy")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, ProcessCommandLine, AccountDomain
# WMI spawning
DeviceProcessEvents
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "outlook.exe")
and FileName =~"wmic.exe"
#deleteing shadow copies
DeviceProcessEvents
| where FileName =~ "wmic.exe"
| where ProcessCommandLine has "shadowcopy" and ProcessCommandLine has "delete"
| project DeviceId, Timestamp, InitiatingProcessFileName, FileName,
ProcessCommandLine, InitiatingProcessIntegrityLevel, InitiatingProcessParentFileName
DeviceProcessEvents
| where SHA256 has_any ('d4f545691c8441b5bcb86535b1d0fd16dc06786eb4080087588cd4d0f388d5ca',
'882d95bdbca75ab9d13486e477ab76b3978e14d6fca30c11ec368f7e5fa1d0cb',
'8ac52ca0792baf2a4075fe7c68e5cbe2262da604e2fcdfb9b39656430925c168',
'3771846f010fcad26d593ea3771bee7cf3dec4d7604a8c719cef500fbf491820',
'3033913c51e0bf9a13c7ad2d5a481e174a1a3f19041c339e6ac900824793a1c6',
'095fbb7685f5ad054bab28346d744e137564beabc33c13a25818936ddc739f5b',
)
DeviceNetworkEvents
| where RemoteUrl contains "amazonaws.com/package/update.js"
DeviceNetworkEvents
| summarize Port= count() by RemotePort
| sort by Port
| where RemotePort <1024
DeviceNetworkEvents
| summarize Port= count() by RemotePort
| where RemotePort <10000
| sort by Port desc
DeviceNetworkEvents
| summarize Rurl= count() by RemoteUrl
| sort by Rurl desc
DeviceNetworkEvents
| summarize ProcessName = count() by InitiatingProcessFileName
| sort by ProcessName desc
DeviceNetworkEvents
| summarize ProcessName = count() by InitiatingProcessCommandLine
| sort by ProcessName asc
DeviceNetworkEvents
| summarize ProcessName = count() by InitiatingProcessFolderPath
| sort by ProcessName desc
DeviceLogonEvents
| where IsLocalAdmin == true and LogonType != 'RemoteInteractive'
| extend IsLocalLogon = tobool(todynamic(AdditionalFields).IsLocalLogon)
| where IsLocalLogon==false
DeviceProcessEvents
| where InitiatingProcessFileName == "ONENOTE.EXE" and not( FileName in~ ('protocolhandler.exe','notepad.exe','Teams.exe','powerpnt.exe','ai.exe','msedge.exe','msedgewebview2.exe','chrome.exe','firefox.exe','opera.exe','acrobat.exe','brave.exe','iexplore.exe','winword.exe','excel.exe' ,'AcroRd32.exe','ONENOTEM.EXE','OUTLOOK.EXE','ONENOTE.EXE','splwow64.exe'))
DeviceProcessEvents
| where Timestamp >= ago(10d)
| where InitiatingProcessFileName in~ ("sqlservr.exe", "sqlagent.exe",
"sqlps.exe", "launchpad.exe")
| summarize tostring(makeset(ProcessCommandLine))
by DeviceId, bin(Timestamp, 2m)
| where
set_ProcessCommandLine has "certutil" or
set_ProcessCommandLine has "netstat" or
set_ProcessCommandLine has "ping" or
set_ProcessCommandLine has "sysinfo" or
set_ProcessCommandLine has "systeminfo" or
set_ProcessCommandLine has "taskkill" or
set_ProcessCommandLine has "wget" or
set_ProcessCommandLine has "whoami" or
set_ProcessCommandLine has "Invoke-WebRequest" or
set_ProcessCommandLine has "Copy-Item" or
set_ProcessCommandLine has "WebClient" or
set_ProcessCommandLine has "advpack.dll" or
set_ProcessCommandLine has "appvlp.exe" or
set_ProcessCommandLine has "atbroker.exe" or
set_ProcessCommandLine has "bash.exe" or
set_ProcessCommandLine has "bginfo.exe" or
set_ProcessCommandLine has "bitsadmin.exe" or
set_ProcessCommandLine has "cdb.exe" or
set_ProcessCommandLine has "certutil.exe" or
set_ProcessCommandLine has "cl_invocation.ps1" or
set_ProcessCommandLine has "cl_mutexverifiers.ps1" or
set_ProcessCommandLine has "cmstp.exe" or
set_ProcessCommandLine has "csi.exe" or
set_ProcessCommandLine has "diskshadow.exe" or
set_ProcessCommandLine has "dnscmd.exe" or
set_ProcessCommandLine has "dnx.exe" or
set_ProcessCommandLine has "dxcap.exe" or
set_ProcessCommandLine has "esentutl.exe" or
set_ProcessCommandLine has "expand.exe" or
set_ProcessCommandLine has "extexport.exe" or
set_ProcessCommandLine has "extrac32.exe" or
set_ProcessCommandLine has "findstr.exe" or
set_ProcessCommandLine has "forfiles.exe" or
set_ProcessCommandLine has "gpscript.exe" or
set_ProcessCommandLine has "hh.exe" or
set_ProcessCommandLine has "ie4uinit.exe" or
set_ProcessCommandLine has "ieadvpack.dll" or
set_ProcessCommandLine has "ieaframe.dll" or
set_ProcessCommandLine has "ieexec.exe" or
set_ProcessCommandLine has "infdefaultinstall.exe" or
set_ProcessCommandLine has "installutil.exe" or
set_ProcessCommandLine has "makecab.exe" or
set_ProcessCommandLine has "manage-bde.wsf" or
set_ProcessCommandLine has "mavinject.exe" or
set_ProcessCommandLine has "mftrace.exe" or
set_ProcessCommandLine has "microsoft.workflow.compiler.exe" or
set_ProcessCommandLine has "mmc.exe" or
set_ProcessCommandLine has "msbuild.exe" or
set_ProcessCommandLine has "msconfig.exe" or
set_ProcessCommandLine has "msdeploy.exe" or
set_ProcessCommandLine has "msdt.exe" or
set_ProcessCommandLine has "mshta.exe" or
set_ProcessCommandLine has "mshtml.dll" or
set_ProcessCommandLine has "msiexec.exe" or
set_ProcessCommandLine has "msxsl.exe" or
set_ProcessCommandLine has "odbcconf.exe" or
set_ProcessCommandLine has "pcalua.exe" or
set_ProcessCommandLine has "pcwrun.exe" or
set_ProcessCommandLine has "pcwutl.dll" or
set_ProcessCommandLine has "pester.bat" or
set_ProcessCommandLine has "presentationhost.exe" or
set_ProcessCommandLine has "pubprn.vbs" or
set_ProcessCommandLine has "rcsi.exe" or
set_ProcessCommandLine has "regasm.exe" or
set_ProcessCommandLine has "register-cimprovider.exe" or
set_ProcessCommandLine has "regsvcs.exe" or
set_ProcessCommandLine has "regsvr32.exe" or
set_ProcessCommandLine has "replace.exe" or
set_ProcessCommandLine has "rundll32.exe" or
set_ProcessCommandLine has "runonce.exe" or
set_ProcessCommandLine has "runscripthelper.exe" or
set_ProcessCommandLine has "schtasks.exe" or
set_ProcessCommandLine has "scriptrunner.exe" or
set_ProcessCommandLine has "setupapi.dll" or
set_ProcessCommandLine has "shdocvw.dll" or
set_ProcessCommandLine has "shell32.dll" or
set_ProcessCommandLine has "slmgr.vbs" or
set_ProcessCommandLine has "sqltoolsps.exe" or
set_ProcessCommandLine has "syncappvpublishingserver.exe" or
set_ProcessCommandLine has "syncappvpublishingserver.vbs" or
set_ProcessCommandLine has "syssetup.dll" or
set_ProcessCommandLine has "te.exe" or
set_ProcessCommandLine has "tracker.exe" or
set_ProcessCommandLine has "url.dll" or
set_ProcessCommandLine has "verclsid.exe" or
set_ProcessCommandLine has "vsjitdebugger.exe" or
set_ProcessCommandLine has "wab.exe" or
set_ProcessCommandLine has "winrm.vbs" or
set_ProcessCommandLine has "wmic.exe" or
set_ProcessCommandLine has "xwizard.exe" or
set_ProcessCommandLine has "zipfldr.dll"
| sort by DeviceId , Timestamp asc
DeviceProcessEvents
| where InitiatingProcessFileName == InitiatingProcessCommandLine
| where ProcessCommandLine has_any (
"whoami /all","cmd /c set","arp -a","ipconfig /all","net view /all","nslookup -querytype=ALL -timeout=10",
"net share","route print","netstat -nao","net localgroup")
| summarize dcount(FileName), make_set(ProcessCommandLine) by DeviceId,bin(Timestamp, 1d), InitiatingProcessFileName, InitiatingProcessCommandLine
| where dcount_FileName >= 8
// The query finds attempts to list users or groups using Net commands
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName == 'net.exe' and AccountName != "" and ProcessCommandLine !contains '\\' and ProcessCommandLine !contains '/add'
| where (ProcessCommandLine contains ' user ' or ProcessCommandLine contains ' group ') and (ProcessCommandLine contains ' /do' or ProcessCommandLine contains ' /domain')
| extend Target = extract("(?i)[user|group] (\"*[a-zA-Z0-9-_ ]+\"*)", 1, ProcessCommandLine) | filter Target != ''
| project AccountName, Target, ProcessCommandLine, DeviceName, Timestamp
| sort by AccountName, Target
// Find attempts to stop processes using net stop
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName =~ "net.exe" and ProcessCommandLine has "stop"
| summarize netStopCount = dcount(ProcessCommandLine), NetStopList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 2m)
| where netStopCount > 10
DeviceProcessEvents
| where FileName == "batloader.exe"
| extend InitiatingProcessFileName = InitiatingProcessFileName
| where InitiatingProcessFileName in ("cmd.exe", "powershell.exe", "regsvr32.exe")
| summarize DeviceId = DeviceId, InitiatingProcessFileName = InitiatingProcessFileName by FileName
DeviceProcessEvents
| where ProcessCommandLine contains "route -p ADD"
DeviceNetworkEvents
| where RemoteUrl contains "edex-beta.unidata.ucar.edu"
DeviceNetworkEvents
| where RemoteUrl contains "api."
| where not(RemoteUrl contains "microsoft" or RemoteUrl contains "azure"or RemoteUrl contains "amazon")
| summarize Count = count() by RemoteUrl
| sort by Count desc
DeviceNetworkEvents
| where RemoteUrl contains "api.dfwairport"
| summarize Count = count() by RemoteUrl
| sort by Count desc
DeviceEvents
| where DeviceId == "28bacf007232ea3f8ba2e8459307f76526d42071"
| where ActionType contains "ScheduledTask"
let EncodedList = dynamic(['-encodedcommand', '-enc']); // -e and -en can also be added, be aware of FPs
let ReconVariables = dynamic(['Get-ADGroupMember', 'Get-ADComputer', 'Get-ADUser', 'Get-NetGPOGroup', 'net user', 'whoami', 'net group', 'hostname', 'netsh firewall', 'tasklist', 'arp', 'systeminfo']);
let TimeFrame = 48d; //Customizable h = hours, d = days
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where ProcessCommandLine contains "powershell" or InitiatingProcessCommandLine contains "powershell"
| where ProcessCommandLine has_any (EncodedList) or InitiatingProcessCommandLine has_any (EncodedList)
| extend base64String = extract(@'\s+([A-Za-z0-9+/]{20}\S+$)', 1, ProcessCommandLine)
| extend DecodedCommandLine = base64_decode_tostring(base64String)
| extend DecodedCommandLineReplaceEmptyPlaces = replace_string(DecodedCommandLine, '\u0000', '')
| where isnotempty(base64String) and isnotempty(DecodedCommandLineReplaceEmptyPlaces)
| where DecodedCommandLineReplaceEmptyPlaces has_any (ReconVariables)
| project
Timestamp,
ActionType,
DecodedCommandLineReplaceEmptyPlaces,
ProcessCommandLine,
InitiatingProcessCommandLine,
DeviceName,
AccountName,
AccountDomain
DeviceEvents
| where ActionType == 'AsrVulnerableSignedDriverBlocked'
| distinct FolderPath, FileName, DeviceId
| summarize deviceCount = count() by FolderPath, FileName
| join (DeviceEvents| where ActionType == "AsrVulnerableSignedDriverBlocked"| summarize ruleCount = count() by FolderPath, FileName) on $left.FolderPath == $right.FolderPath and $left.FileName == $right.FileName
| project FolderPath, FileName, deviceCount, ruleCount
| order by ruleCount desc
DeviceEvents
| where ActionType startswith 'asr'
| distinct ActionType, DeviceId
| summarize deviceCount = count() by ActionType
| join (DeviceEvents | where ActionType startswith 'Asr' | summarize ruleCount = count() by ActionType) on $left.ActionType == $right.ActionType
| project ActionType, deviceCount, ruleCount
DeviceNetworkEvents
| where RemoteIP in ("37.220.87.69", "94.142.138.4", "99.230.89.236", "144.76.173.247", "3.142.81.166", "3.141.177.1", "94.142.138.61", "37.221.93.196", "2.57.122.154", "146.70.45.213", "146.70.45.212", "51.81.155.128", "45.14.227.137", "47.89.189.43", "138.199.63.93", "103.172.41.208", "47.90.254.4", "192.145.124.4", "164.92.205.166", "103.165.168.142", "163.172.83.95", "172.98.87.184", "173.231.16.77")
DeviceProcessEvents
| where ActionType == "ProcessCreate" and FileName == "rundll32.exe"
| extend CommandLine = extract(".*\"(.*)\".*", 1, ProcessCommandLine)
| where CommandLine contains "RestartManager" or CommandLine contains "RegisterApplicationRestart"
| project Timestamp, DeviceName, FileName, ProcessCommandLine
| order by Timestamp desc
EmailEvents
| where NetworkMessageId in ("8f71c3b4-d18b-49ba-4a9f-08db5596bf99","72725b7e-9a3f-4bf6-9031-08db5593d7f4","04ed6e5d-1cb4-48dc-c889-08db559437d7","a52ce6f6-6d3a-42ab-2dde-08db55b49601","37ffb799-b873-4469-c53e-08db55aaee96","9312d239-7dc0-411e-06f6-08db55ac4e25","7f0e0a93-50ef-4713-8fb2-08db55b558cd","c02d8af0-f778-4098-7ec9-08db55ace635","f1ebc63f-279b-4b34-d392-08db55ab47e0","b028bc08-d720-4084-b8ed-08db55abd090","7caef4cf-f820-4a2a-8f3c-08db55b4f033","f3737190-321b-410b-1d8a-08db55abb435","a9606500-11fa-4522-6a16-08db55b481c2","198ad17e-b67c-4161-1278-08db55b4a310")
| take 100
Last updated
Was this helpful?