1- Windows Denetim Günlüğü Değiştirme
Windows denetim günlüklerinde yapılan herhangi bir değişikliğin kontrol edilmesi.
index=__your_sysmon_index__ (sourcetype=wineventlog AND (EventCode=1102 OR EventCode=1100)) OR (sourcetype=wineventlog AND EventCode=104) | stats count by _time EventCode Message sourcetype host
2- Yüksek Boyutlu Web Yüklemelerini Bulma
Ağınızda veri hırsızlığına işaret edilebilecek yüksek yüklemelerin tespiti.
index=__your_sysmon_index__ sourcetype=websense* | where bytes_out > 35000000 | table _time src_ip bytes* uri
3- Brute Force Saldırılarının Tespiti
Birden fazla oturum açma isteği oluşturulması.
index=__your_sysmon_index__ sourcetype=winxsecurity user=* user!"" | stats count(eval(action="success")) as successes count(eval(action="failure")) as failures by user, ComputerName | where successes>0 AND failures>100
Windows:
index=windows source="WinEventLog:Security" EventCode=4625 | bin _time span=5m | stats count by _time,user,host,src,action | where count >= 5
Linux:
index=linux source="/var/log/auth.log" "Failed password" | bin _time span=5m | stats count by _time,user,host,src,action | where count >= 5
4- Yeni Lokal Admin Hesapları
Yeni bir kullanıcının oluşturulmasını ve ardından izinlerin yönetici düzeyine yükseltilmesini saptayabilir.
index=win_servers sourcetype=windows:security EventCode=4720 OR (EventCode=4732 Administrators) | transaction Security_ID maxspan=180m | search EventCode=4720 EventCode=4732 | table _time, EventCode, Recurity_ID, SamAccountName
5- TOR Trafiği Algılama
Ağınızdaki TOR trafiğini saptamak için güvenlik duvarı verilerinin kullanılması.
index=network sourcetype=firewall_data app=tor src_ip=* | table _time src_ip src_port dest_ip dest_port bytes app
6- Rogue DNS Algılama
DNS sunucusuna yönelik olmayan DNS isteklerinin tespiti.
index=security sourcetype=cp_log src_ip!=192.168.14.10 dest_ip!=192.168.14.10 protocol=53 action!=Drop | where dest_ip="192.168.0.0/16" AND src_ip="192.168.0.0/16" | stats count, values(dest_ip) by src_ip
7- Şüpheli PowerShell Komutları
Harici komut dosyalarını/içeriği indirmeye veya PowerShell’i atlamaya çalışan komutlara ait günlüklerin aranması.
index=windows source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4104 AND ((ScriptBlockText=*-noni* *iex* *New-Object*) OR (ScriptBlockText=*-ep* *bypass* *-Enc*) OR (ScriptBlockText=*powershell* *reg* *add* *HKCU\\software\\microsoft\\windows\\currentversion\\run*) OR (ScriptBlockText=*bypass* *- noprofile* *-windowstyle* *hidden* *new-object* *system.net.webclient* *.download*) OR (ScriptBlockText=*iex* *New-Object* *Net.WebClient* *.Download*)) | table Computer, ScriptBlockText, UserID
8- Windows Denetim Günlüğünü Temizleme
EventCode 1102 ile filtrelenmiş güvenlik günlüklerinin aranması.
index=windows source="WinEventLog:Security" EventCode=1102 | table _time, host, signature, user
9- Malware Yazılımları
| from datamodel:"Malware"."Malware_Attacks"
| stats dc("signature") as "infection_count" by "dest"
| where 'infection_count'>110- Toplu System32 Yazma
Kötü amaçlı olmasada özellikle Windows dizininde, işletim sistemi kurulumundan sonra bu durumla karşılaşmak oldukça nadirdir. Bu kural C:\Windows\System32 dizin ağacında oluşturulan iş dosyasının şüpheli etkinliğini arar. Yönetici eylemleri nedeniyle yalnızca ara sıra false positiveler olacaktır.
| tstats count min(_time) as firstTime max(_time) as lastTime values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name values(Filesystem.user) as user from datamodel=Endpoint.Filesystem by Filesystem.file_path | rex field=file_name "(?<file_extension>\.[^\.]+)$" | search file_path=*system32* AND file_extension=.bat
11- net exe Kullanarak Lokal Admin Hesap Oluşturulması
net.exe kullanarak yerel yönetici hesaplarının oluşturulmasını saptar.
| tstats count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=net.exe OR Processes.process_name=net1.exe) AND (Processes.process=*localgroup* OR Processes.process=*/add* OR Processes.process=*user*) by Processes.process Processes.process_name Processes.dest |`create_local_admin_accounts_using_net_exe_filter`
12- Windows Defender Komut İsteminin Kurcalanmasının Tespiti
index= __your_sysmon__index__ EventCode=1 Image = "C:\\Windows\\System32\\sc.exe" | regex CommandLine="^sc\s*(config|stop|query)\sWinDefend$"
13- Port Tarama Aktivitesinin Belirlenmesi
Genellikle Nmap, Zenmap, Cobalt Strike vb. araçları kullanarak güvenliği ihlal edilmiş makine aracılığıyla dahili ağ üzerinde bilgisayar tanımlama, bağlantı noktası, port ve hizmet taramaları tespit eder.
sourcetype='firewall_logs' dest_ip = 'internal_subnet' | stats dc(dest_port) as pcount by src_ip | where pcount >5
14- Lokal Network Sniffing
(index=__your_sysmon_index__ EventCode=1) (Image="*tshark.exe" OR Image="*windump.exe" OR (Image="*logman.exe" AND ParentImage!="?" AND ParentImage!="C:\\Program Files\\Windows Event Reporting\\Core\\EventReporting.AgentService.exe") OR Image="*tcpdump.exe" OR Image="*wprui.exe" OR Image="*wpr.exe")
15- Powershell Konsol Komut Geçmişini Temizle
(index=__your_sysmon_index__ EventCode=1) (CommandLine="*rm (Get-PSReadlineOption).HistorySavePath*" OR CommandLine="*del (Get-PSReadlineOption).HistorySavePath*" OR CommandLine="*Set-PSReadlineOption –HistorySaveStyle SaveNothing*" OR CommandLine="*Remove-Item (Get-PSReadlineOption).HistorySavePath*" OR CommandLine="del*Microsoft\\Windows\\Powershell\\PSReadline\\ConsoleHost_history.txt")
16- CMSTP
(index=__your_sysmon_index__ EventCode=3) Image="C:\\Windows\\System32\\CMSTP.exe" | where ((!cidrmatch("10.0.0.0/8", SourceIp) AND !cidrmatch("192.168.0.0/16", SourceIp) AND !cidrmatch("172.16.0.0/12", SourceIp))17- PowerShell Yürütme
index=__your_sysmon_index__ EventCode=1 Image="C:\\Windows\\*\\powershell.exe" ParentImage!="C:\\Windows\\explorer.exe"|stats values(CommandLine) as "Command Lines" values(ParentImage) as "Parent Images" by ComputerName
18- Cmd’yi Başlatan Servisler
index=__your_sysmon_index__ EventCode=1 Image="C:\\Windows\\*\\cmd.exe" ParentImage="C:\\Windows\\*\\services.exe"
19- UAC’yi Devre Dışı Bırakmak
sourcetype = __your_sysmon_index__ ParentImage = "C:\\Windows\\System32\\cmd.exe" | where like(CommandLine,"reg.exe%HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System%REG_DWORD /d 0%")
20- Olağandışı Uzun Komut Satırı Dizeleri
index=__your_sysmon_index__ sourcetype="xmlwineventlog" EventCode=4688 |eval cmd_len=len(CommandLine) | eventstats avg(cmd_len) as avg by host| stats max(cmd_len) as maxlen, values(avg) as avgperhost by host, CommandLine | where maxlen > 10*avgperhost
21- Wevtutil ile Windows Loglarının Temizlenmesi
index=__your_sysmon_index__ sourcetype= __your__windows__sysmon__sourcetype EventCode=1 Image=*wevtutil* CommandLine=*cl* (CommandLine=*System* OR CommandLine=*Security* OR CommandLine=*Setup* OR CommandLine=*Application*)
22- Yerel İzin Grubu Keşfi
(index=__your_sysmon_index__ EventCode=1) Image="C:\\Windows\\System32\\net.exe" AND (CommandLine="* user*" OR CommandLine="* group*" OR CommandLine="* localgroup*" OR CommandLine="*get-localgroup*" OR CommandLine="*get-ADPrincipalGroupMembership*")
23- NTFS Alternatif Veri Akışı Yürütme – Sistem Yardımcı Programları
NTFS ADS – PowerShell:
index=__sysmon_index__ EventCode=1 Image=C:\\Windows\\*\\powershell.exe|regex CommandLine="Invoke-CimMethod\s+-ClassName\s+Win32_Process\s+-MethodName\s+Create.*\b(\w+(\.\w+)?):(\w+(\.\w+)?)|-ep bypass\s+-\s+<.*\b(\w+(\.\w+)?):(\w+(\.\w+)?)|-command.*Get-Content.*-Stream.*Set-Content.*start-process .*(\w+(\.\w+)?)"NTFS ADS - wmic
NTFS ADS – wmic:
index=__sysmon_index__ EventCode=1 Image=C:\\Windows\\*\\wmic.exe | regex CommandLine="process call create.*\"(\w+(\.\w+)?):(\w+(\.\w+)?)"
NTFS ADS – rundll32:
index=__sysmon_index__ EventCode=1 Image=C:\\Windows\\*\\rundll32.exe | regex CommandLine="\"?(\w+(\.\w+)?):(\w+(\.\w+)?)?\"?,\w+\|(advpack\.dll\|ieadvpack\.dll),RegisterOCX\s+(\w+\.\w+):(\w+(\.\w+)?)\|(shdocvw\.dll\|ieframe\.dll),OpenURL.*(\w+\.\w+):(\w+(\.\w+)?)"
NTFS ADS – wscript/cscript:
index=__sysmon_index__ EventCode=1 (Image=C:\\Windows\\*\\wscript.exe OR Image=C:\\Windows\\*\\cscript.exe) | regex CommandLine="(?<!\/)\b\w+(\.\w+)?:\w+(\.\w+)?$"
24- WinLogon’dan Başlatılan Komut
index=__your_sysmon_index__ EventCode=1 ParentImage="C:\\Windows\\*\\winlogon.exe" Image="C:\\Windows\\*\\cmd.exe"
25- UAC Bypass
index=_your_sysmon_index_ EventCode=1 IntegrityLevel=High|search (ParentCommandLine="\"c:\\windows\\system32\\dism.exe\"*""*.xml" AND Image!="c:\\users\\*\\appdata\\local\\temp\\*\\dismhost.exe") OR ParentImage=c:\\windows\\system32\\fodhelper.exe OR (CommandLine="\"c:\\windows\\system32\\wusa.exe\"*/quiet*" AND User!=NOT_TRANSLATED AND CurrentDirectory=c:\\windows\\system32\\ AND ParentImage!=c:\\windows\\explorer.exe) OR CommandLine="*.exe\"*cleanmgr.exe /autoclean*" OR (ParentImage="c:\\windows\\*dccw.exe" AND Image!="c:\\windows\\system32\\cttune.exe") OR Image="c:\\program files\\windows media player\\osk.exe" OR ParentImage="c:\\windows\\system32\\slui.exe"|eval PossibleTechniques=case(like(lower(ParentCommandLine),"%c:\\windows\\system32\\dism.exe%"), "UACME #23", like(lower(Image),"c:\\program files\\windows media player\\osk.exe"), "UACME #32", like(lower(ParentImage),"c:\\windows\\system32\\fodhelper.exe"), "UACME #33", like(lower(CommandLine),"%.exe\"%cleanmgr.exe /autoclean%"), "UACME #34", like(lower(Image),"c:\\windows\\system32\\wusa.exe"), "UACME #36", like(lower(ParentImage),"c:\\windows\\%dccw.exe"), "UACME #37", like(lower(ParentImage),"c:\\windows\\system32\\slui.exe"), "UACME #45")
#Cybersecurity #BilgiGüvenliği #SIEM #Splunk