falconforceteam / falconfriday Goto Github PK

Hunting queries and detections

License: BSD 3-Clause "New" or "Revised" License

kql blueteam hunting purpleteam sentinel defender-atp defender-for-endpoint

falconfriday's Introduction

FalconFriday

TL;DR: We believe there isn't enough content available to detect advanced adversary techniques. That's why reguarly on "Falcon Friday", we will release (Microsoft Defender for Endpoint - MDE) hunting queries to detect offensive techniques.

To give you an idea, we're going to release hunts for attacks such as:

DLL Injection
Process Injection
COM Hijacking
.NET-to-JScript
Aborted MFA requests
Abuse of LOLBins
Misbehaving Office Applications
Process Hollowing
Unmanaged binaries running managed code
Anomalies in LDAP traffic
Command execution using WMI
SMB NULL session attempts
etc

Stay tuned and let us know if there is any specific attack technique you want to detect.

Background

Our current plan is to release hunting MDE queries on a regular basis. The queries will be released on GitHub, accompanied by a short blog post on Medium detailing background, working of the query, the accuracy we expect, any possible variations or improvements, any catches and really anything else we deem relevant. Initially, we'll be working based on the excellent library of @spotheplanet's https://www.ired.team/ and release the queries specifically for MDE. Since @olafhartong is involved, we might release Sysmon hunts as well...we'll see how it goes.

We will publish the KQL queries on GitHub. Each query will be aimed at detecting some specific technique as precisely as possible and linked to MITRE ATT&CK. We anticipate that some queries will have more than 1 variant, aimed at detecting the same attack in different ways with varying trade-offs. Similarly, we will document trade-offs for various options in a single query to give you the flexibility to gear towards more false positives or more false negatives.

Having said that, don't expect to copy-paste the queries in your environment and be done with it. We will provide a foundation query which can detect a certain technique. However, you will still need to fine-tune/extend the query to your organization's specifics to make it work in your environment and integrate into your monitoring solution.

The queries will be free to use in any way you like, although we appreciate a reference back to @falconforceteam Twitter / FalconForce GitHub.

falconfriday's People

Contributors

Stargazers

Watchers

Forkers

cbresponse threatpage blue-infosec digitalarche sunnyc7 zha0 jack51706 cloudfast-bit payaljaiswani jnicol17 elsaman dgomezny hieuttmmo ergcyber fzxcp3 poruchikrj spiegelmx tristandostaler invokethreatguy sjwe kubajir bonusland zprian whurd-redcanary cybersecops fiebererdi t-seclab bigbrobro yukh1402 stayingahead mgijo lostqueue 5m7x danolondon robinfassinamoschiniforks alanhedges1 alihaydartoprak raystyle crtvrffnrt korving-f lovidad chadpierce kyrzo crazyorgeniusgames petarpetrovski benabraha myvoyage n0psl1de qxmx toshisam levisre anthonyzhuk rakhithjk tutruie63 devkw stripesoc liushouhuo zezebackup ab2154 gkuo06 jkb-s c0c0red mcopeland-github pankajramnani pentestw0rkerbit0 bert-janp theomilan3 cyb3rid10ts zisaman riparino outs1d3r-net axax002 rathnadeep 5n00py5h3ll ziyadnz mrezqi

falconfriday's Issues

What is the DTAP? DATP?

I searched DTAP in "microsoft-azure-strategy-and-implementation-guide"
The guide was written that DTAP is Development, Testing, Acceptance, Production.
Is it Right?

And DATP was written Defender Advanced Threat Protection.

DTAP and DATP are mixed and written in Readme.
So I am confused. Please explain.😂

Improving query in T1036-WIN-001

Hi @olafhartong

Query proposed here Defense Evasion/T1036-WIN-001.md does not work very well.
First of all it is written is such way that resulting data in memory is huge which obviously affects its performance, but it does not have to be so.

The IsSigned value in DeviceFileCertificateInfo is always 1 so the condition | where IsSigned == 0 or IsTrusted == 0 is basically IsTrusted == 0. That is because DeviceFileCertificateInfo stores information about file certificates - only signed files have certificates, so all files in this table are signed.

IsTrusted == 0 is problematic because sometimes some devices have trust issues and due to performance optimization we want to eliminate summarization per device and focus on SHA1.

So here is my proposed query:

let PublicConnections = materialize(
    DeviceNetworkEvetns
    | where ActionType == "ConnectionSuccess" 
        and RemoteIPType == "Public" 
        and InitiatingProcessId !in (0,4)
);
let UnTrusted =
    DeviceFileCertificateInfo
    | summarize Trust = make_set(IsTrusted) by SHA1
    | where array_length(Trust) < 2
    | mv-expand Trust
    | where Trust == false; // Really untrusted
UnTrusted
| join PublicConnections on $left.SHA1 == $right.InitiatingProcessSHA1
| summarize count(), 
            Devices = make_set(DeviceName), 
            IPs = make_set(RemoteIP), 
            URLs = make_set(RemoteUrl) 
         by InitiatingProcessSHA1, InitiatingProcessFileName, InitiatingProcessFolderPath
| project-rename SHA1 = InitiatingProcessSHA1
| invoke FileProfile()

I can run this easily for 30 days of data within really big environment.
Crucial point is to start the join with UnTrusted table because it is definitely smaller than PublicConnections.

I know that this query does not have anything for unsigned binaries. That is because MDE is totally unreliable in this matter. I did try with DeviceProcessEvents to get a summary per InitiatingProcessSHA1 where the signature is not valid, got results, checked the SHA1 and ... what a surprise - its valid.
In my opinion for the Unsigned binaries making connections we have to figure something else.

falconforceteam / falconfriday Goto Github PK

falconfriday's Introduction

FalconFriday

Background

falconfriday's People

Contributors

Stargazers

Watchers

Forkers

falconfriday's Issues

What is the DTAP? DATP?

Improving query in T1036-WIN-001

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent