randomuserid / adama Goto Github PK

In this saved search we searching for Security event log was cleared which means we search for event id 517 and 1102 but the problem is your query search for the inverse, your query is like this

"must_not": [
{
"bool": {
"minimum_should_match": 1,
"should": [
{
"match_phrase": {
"event.code": "517"
}
},
{
"match_phrase": {
"event.code": "1102"
}
}
]

and the correct is searching for these event ids and the query will be like this

"filter": [
{
"bool": {
"should": [
{
"match_phrase": {
"event.code": "517"
}
},
{
"match_phrase": {
"event.code": "1102"
}
}
],
"minimum_should_match": 1
}
}

https://twitter.com/RhinoSecurity/status/1253397992255582208?s=20

https://twitter.com/SpenGietz/status/1268947404071383042?s=20

https://twitter.com/0xdabbad00/status/1225452593234640897?s=21

https://twitter.com/singe/status/1202480904851087360?s=21

https://twitter.com/ashwinpatil/status/1196455153009774592?s=21

https://twitter.com/0xdabbad00/status/1182409961717977088?s=21

https://twitter.com/andresriancho/status/1182000274237358080?s=21

https://twitter.com/cyberwarship/status/1264533437379162113?s=21

https://twitter.com/dinosn/status/1181981419641462784?s=21

https://twitter.com/rhinosecurity/status/1159936327770681346?s=21

https://twitter.com/0xdabbad00/status/1158456395504611329?s=21

https://twitter.com/0xdabbad00/status/1258909131605307393?s=21

https://twitter.com/0xdabbad00/status/1225452593234640897?s=21

https://twitter.com/singe/status/1202480904851087360?s=21

https://twitter.com/ram_ssk/status/1196472379293044736?s=21

https://twitter.com/binitamshah/status/1176453379540865024?s=21

https://twitter.com/voulnet/status/1168527352680341505?s=21

https://twitter.com/rhinosecurity/status/1159936327770681346?s=21

https://twitter.com/taosecurity/status/1144707145138626561?s=21

https://twitter.com/rhinosecurity/status/1140982831532990464?s=21

Can you plz just uppercase the first letter from this Adama/Windows/cacls command activity.ndjson to this Adama/Windows/Cacls command activity.ndjson

Into one rule per SID, or per CVE, to facilitate more granular tuning and selection

Blanket alerting on ports in the Commonly Used Port category - https://attack.mitre.org/techniques/T1043/ - tends to make a super-massive FP / noise flood. Develop a high signal / noise search set for network events using network behavioral profiling and anomaly detection.

Executing PowerShell from Decoded Base64 (medium confidence)
Process is ‘powershell.exe’ AND
Command line includes ‘base64’ AND
Command line includes ‘iex’

PHP Executing OS Commands (medium confidence)
Parent process is ‘php.exe’ OR ‘php-cgi.exe’ AND
Process is ‘cmd.exe’
Tune out commands required for normal web application use; this is different per organization and application.

Windows IIS Worker Executing OS Commands (medium confidence)
Parent process is ‘w3wp.exe’ AND
Process is ‘cmd.exe’
Tune out commands required for normal web application use; this is different per organization and application.

Domain Administrator Enumeration via Net.exe (high confidence)
Process is ‘net.exe’ OR ‘net1.exe` AND
Command line includes ‘Domain Admin’

PowerShell Downloading Code for Execution (medium confidence)
Process is ‘powershell.exe’ AND
Command line includes ‘downloadstring’ AND
Command line includes ‘iex’

Wmic Remote Stylesheet Execution (high confidence)
Process is ‘wmic.exe’ AND
Command line includes ‘/format:’ AND
Has network connection

Use of Windows Optimize Drives Service for C2 (high confidence)
Process is ‘svchost.exe’ AND
Command line includes ‘defragsvc’ AND
Has network connection