Terrance DeJesus
f0b2cb7c87
* added 'Uncommon Process Execution from Suspicious Directory' hunt * adds all linux hunting files * moves linux hunting files to queries folder * adds generated docs * fixing windows hunts * fixing windows hunts * updated README * Removed 2, updated a few, changed some names/descriptions and added list of str * updated windows for language schema changes, regenerated docs; updated README and index * changed UUIDs to hex only with standard hyphen format * removing unecessary docs * Fixed queries based on Samir feedback * ++ * regenerating linux docs * Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/command_and_control_via_unusual_file_downloads_from_source_addresses.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_capitalized_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Updates * Update * Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Updates * regenerating linux docs --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
29 lines
1.5 KiB
TOML
29 lines
1.5 KiB
TOML
[hunt]
|
|
author = "Elastic"
|
|
description = """
|
|
This hunt returns a summary of network logon activity by `source.ip` using Windows event IDs 4624 and 4625. The higher the number of failures, low success and multiple accounts the more suspicious the behavior is.
|
|
"""
|
|
integration = ["system"]
|
|
uuid = "441fba85-47a9-4f1f-aab4-569bbfdc548b"
|
|
name = "Windows Logon Activity by Source IP"
|
|
language = ["ES|QL"]
|
|
license = "Elastic License v2"
|
|
notes = [
|
|
"Pay close attention to IP address sources with a high number of failed connections associated with low success attempts and high number of user accounts.",
|
|
]
|
|
mitre = [ "T1110", "T1110.001", "T1110.003"]
|
|
query = [
|
|
'''
|
|
from logs-system.security-*
|
|
| where @timestamp > now() - 7 day
|
|
| where host.os.family == "windows" and
|
|
event.category == "authentication" and event.action in ("logon-failed", "logged-in") and winlog.logon.type == "Network" and
|
|
source.ip is not null and
|
|
/* noisy failure status codes often associated to authentication misconfiguration */
|
|
not (event.action == "logon-failed" and winlog.event_data.Status in ("0xC000015B", "0XC000005E", "0XC0000133", "0XC0000192"))
|
|
| eval failed = case(event.action == "logon-failed", source.ip, null), success = case(event.action == "logged-in", source.ip, null)
|
|
| stats count_failed = count(failed), count_success = count(success), count_user = count_distinct(winlog.event_data.TargetUserName) by source.ip
|
|
/* below threshold should be adjusted to your env logon patterns */
|
|
| where count_failed >= 100 and count_success <= 10 and count_user >= 20
|
|
'''
|
|
] |