top of page

Windows 10 error

Data copied to other location than C drive.txt

 

//Check all created files

// that does not have extension ps1, bat or cmd to avoid IT Pro scripts

// that are not copied to C:\ to detect all file share, external drive, data partition that are not allowed, etc.

// this could help to detect malicious insider/user that has unencrypted data partition and that are using it to exfiltrate data even while removable devices & cloud storage is blocked

DeviceFileEvents

| where ActionType == "FileCreated"

| extend extension= extract(@".*(\..*)$",1,FileName)

| where extension !in (".ps1",".bat",".cmd")

| extend DriveLetterOrShare=split(FolderPath,':')[0]

| where DriveLetterOrShare != 'C'

| project tostring(DriveLetterOrShare), FolderPath, FileName, DeviceId, DeviceName, ReportId, Timestamp, ShareName, IsAzureInfoProtectionApplied, SensitivityLabel, SensitivitySubLabel, InitiatingProcessFileName, InitiatingProcessAccountUpn, InitiatingProcessCommandLine

 

///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

 

List files copied to USB mounted drives

This query lists files copied to USB external drives with USB drive information based on FileCreated events associated with most recent USBDriveMount events before file creations. But be aware that Advanced Hunting is not monitoring all the file types.

Query

let UsbDriveMount = DeviceEvents
| where ActionType=="UsbDriveMounted"
| extend ParsedFields=parse_json(AdditionalFields)
| project DeviceId, DeviceName, DriveLetter=ParsedFields.DriveLetter, MountTime=Timestamp,
ProductName=ParsedFields.ProductName,SerialNumber=ParsedFields.SerialNumber,Manufacturer=ParsedFields.Manufacturer
| order by DeviceId asc, MountTime desc;
let FileCreation = DeviceFileEvents
| where InitiatingProcessAccountName != "system"
| where ActionType == "FileCreated"
| where FolderPath !startswith "C:\\"
| where FolderPath !startswith "\\"
| project ReportId,DeviceId,InitiatingProcessAccountDomain,
InitiatingProcessAccountName,InitiatingProcessAccountUpn,
FileName, FolderPath, SHA256, Timestamp, SensitivityLabel, IsAzureInfoProtectionApplied
| order by DeviceId asc, Timestamp desc;
FileCreation | lookup kind=inner (UsbDriveMount) on DeviceId
| where FolderPath startswith DriveLetter
| where Timestamp >= MountTime
| partition by ReportId ( top 1 by MountTime )
| order by DeviceId asc, Timestamp desc

 

/////////////////////////////////////////////////////////////////////////////////////

Microsoft 365 Defender Hunting queries

// Query for links opened from mail apps – if a detection occurred right afterwards.

// As there are many links opened from mails, to have a successful hunt we should have some filter or join with some other signal,

// such as suspicious processes, network connections, etc.

// Therefore, in this example, we query for alerts that might be related to links sent via email.

// This could be indicative of a phishing or spear-phishing attacks.

// Tags: #EmailLink, #Phishing, #GetNearbyAlerts

// Explaining the underlying data:

//     This query uses the BrowserLaunchedToOpenUrl event, that includes clicks on http:// or https:// links (clicks outside of browsers), or on .lnk files

//     For this event, RemoteUrl contains the opened URL.

let minTimeRange = ago(7d);

let outlookLinks =

    DeviceEvents

    // Filter on click on links from outlook

    | where Timestamp > minTimeRange and ActionType == "BrowserLaunchedToOpenUrl" and isnotempty(RemoteUrl)

        | where

                        // outlook.exe is the Office Outlook app

                        InitiatingProcessFileName =~ "outlook.exe"

                        // RuntimeBroker.exe opens links for all apps from the Windows store, including the Windows Mail app (HxOutlook.exe).

                        // However, it will also include some links opened from other apps.                        

                or InitiatingProcessFileName =~ "runtimebroker.exe"

    | project Timestamp, DeviceId, DeviceName, RemoteUrl, InitiatingProcessFileName, ParsedUrl=parse_url(RemoteUrl)

    // When applicable, parse the link sent via email from the clicked O365 ATP SafeLink

    | extend WasOutlookSafeLink=(tostring(ParsedUrl.Host) endswith "safelinks.protection.outlook.com")

    | project Timestamp, DeviceId, DeviceName, WasOutlookSafeLink, InitiatingProcessFileName,

            OpenedLink=iff(WasOutlookSafeLink, url_decode(tostring(ParsedUrl["Query Parameters"]["url"])), RemoteUrl);

let alerts =

    DeviceAlertEvents

    | summarize (FirstDetectedActivity, Title)=argmin(Timestamp, Title) by AlertId, DeviceId

    // Filter alerts that include events from before the queried time period

    | where FirstDetectedActivity > minTimeRange;

// Join the two together - looking for alerts that are right after an abnormal network logon

alerts | join kind=inner (outlookLinks) on DeviceId | where FirstDetectedActivity - Timestamp between (0min..3min)

// If there are multiple alerts close to a single click-on-link, aggregate them together to a single row

// Note: bin(Timestamp, 1tick) is used because when summarizing by a datetime field, the default "bin" used is 1-hour.

| summarize FirstDetectedActivity=min(FirstDetectedActivity), AlertTitles=makeset(Title) by OpenedLink, InitiatingProcessFileName, Timestamp=bin(Timestamp, 1tick), DeviceName, DeviceId, WasOutlookSafeLink

 

// Query for links opened from mail apps – if a detection occurred right afterwards. - MTP Schema

// As there are many links opened from mails, to have a successful hunt we should have some filter or join with some other signal,

// such as suspicious processes, network connections, etc.

// Therefore, in this example, we query for alerts that might be related to links sent via email.

// This could be indicative of a phishing or spear-phishing attacks.

// Tags: #EmailLink, #Phishing, #GetNearbyAlerts

// Explaining the underlying data:

//     This query uses the BrowserLaunchedToOpenUrl event, that includes clicks on http:// or https:// links (clicks outside of browsers), or on .lnk files

//     For this event, RemoteUrl contains the opened URL.

let minTimeRange = ago(7d);

let outlookLinks =

    DeviceEvents

    // Filter on click on links from outlook

    | where Timestamp > minTimeRange and ActionType == "BrowserLaunchedToOpenUrl" and isnotempty(RemoteUrl)

        | where

                        // outlook.exe is the Office Outlook app

                        InitiatingProcessFileName =~ "outlook.exe"

                        // RuntimeBroker.exe opens links for all apps from the Windows store, including the Windows Mail app (HxOutlook.exe).

                        // However, it will also include some links opened from other apps.                        

                or InitiatingProcessFileName =~ "runtimebroker.exe"

    | project Timestamp, DeviceId, DeviceName, RemoteUrl, InitiatingProcessFileName, ParsedUrl=parse_url(RemoteUrl)

    // When applicable, parse the link sent via email from the clicked O365 ATP SafeLink

    | extend WasOutlookSafeLink=(tostring(ParsedUrl.Host) endswith "safelinks.protection.outlook.com")

    | project Timestamp, DeviceId, DeviceName, WasOutlookSafeLink, InitiatingProcessFileName,

            OpenedLink=iff(WasOutlookSafeLink, url_decode(tostring(ParsedUrl["Query Parameters"]["url"])), RemoteUrl);

let alerts =

    AlertInfo | join AlertEvidence on AlertId

    | summarize (FirstDetectedActivity, Title)=argmin(Timestamp, Title) by AlertId, DeviceId

    // Filter alerts that include events from before the queried time period

    | where FirstDetectedActivity > minTimeRange;

// Join the two together - looking for alerts that are right after an abnormal network logon

alerts | join kind=inner (outlookLinks) on DeviceId | where FirstDetectedActivity - Timestamp between (0min..3min)

// If there are multiple alerts close to a single click-on-link, aggregate them together to a single row

// Note: bin(Timestamp, 1tick) is used because when summarizing by a datetime field, the default "bin" used is 1-hour.

| summarize FirstDetectedActivity=min(FirstDetectedActivity), AlertTitles=makeset(Title) by OpenedLink, InitiatingProcessFileName, Timestamp=bin(Timestamp, 1tick), DeviceName, DeviceId, WasOutlookSafeLink

 

////////////////////////////////////////////////////////////////////////////////////////////////

Discovering potentially tampered devices [Nobelium]

 

 

// Times to be modified as appropriate

let timeAgo=1d;

let silenceTime=8h;

// Get all silent devices and IPs from network events

let allNetwork=materialize(DeviceNetworkEvents

| where Timestamp > ago(timeAgo)

and isnotempty(LocalIP)

and isnotempty(RemoteIP)

and ActionType in ("ConnectionSuccess", "InboundConnectionAccepted")

and LocalIP !in ("127.0.0.1", "::1")

| project DeviceId, Timestamp, LocalIP, RemoteIP, ReportId);

let nonSilentDevices=allNetwork

| where Timestamp > ago(silenceTime)

| union (DeviceProcessEvents | where Timestamp > ago(silenceTime))

| summarize by DeviceId;

let nonSilentIPs=allNetwork

| where Timestamp > ago(silenceTime)

| summarize by LocalIP;

let silentDevices=allNetwork

| where DeviceId !in (nonSilentDevices)

and LocalIP !in (nonSilentIPs)

| project DeviceId, LocalIP, Timestamp, ReportId;

// Get all remote IPs that were recently active

let addressesDuringSilence=allNetwork

| where Timestamp > ago(silenceTime)

| summarize by RemoteIP;

// Potentially disconnected devices were connected but are silent

silentDevices

| where LocalIP in (addressesDuringSilence)

| summarize ReportId=arg_max(Timestamp, ReportId), Timestamp=max(Timestamp), LocalIP=arg_max(Timestamp, LocalIP) by DeviceId

| project DeviceId, ReportId=ReportId1, Timestamp, LocalIP=LocalIP1

 

 

 

Advance hunting: see the data schema for all available tables

 

*********************************************************************************

 

 

//Attack surface reduction: Defender for Endpoint provides detailed reporting for events and blocks as part of alert investigation scenarios.

DeviceEvents

| where ActionType startswith 'Asr'

 

******************************************************************************

 

 

//Attack surface reduction: find devices by OS platform, eg "Linux"

DeviceInfo

| where OSPlatform == "Windows"

//| project PublicIP, Model

| take 100

 

*****************************************************************************

 

//Attack surface reduction: ASR events shown in the advancing hunting portal are throttled to unique processes seen every hour

DeviceEvents

| where Timestamp > ago(30d)

| where ActionType  startswith "Asr"

| summarize Event

Count=count() by ActionType

*****************************************************************************

 

//Attack surface reduction: ASROfficeChildProcess rule and get details on the actual files and processes involved.

DeviceEvents

| where (ActionType  startswith "AsrOfficeChild")

| extend RuleId=extractjson("$Ruleid", AdditionalFields, typeof(string))

| project DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine

 

*****************************************************************************

//check if user has used an USB device, use the second query to find the devicename

DeviceEvents

| where Timestamp > ago(120d)

| where ActionType == "UsbDriveMount"

| where DeviceName == "ssqnt4362.ssq.local"

| extend DriveLetter = extractjson("$.DriveLetter", AdditionalFields)

//Attack surface reduction: find devices by OS platform, eg "Linux"

DeviceInfo

| where OSPlatform == "Windows"

//| project PublicIP, Model

| take 100

 

*****************************************************************************

 

//reduce the left table DeviceLogonEvents to cover only three specific devices before joining it //with IdentityLogonEvents by account SIDs.

 

DeviceLogonEvents

| where DeviceName in ("ssqnt4362.ssq.local", "ccb6985.ssq.local", "ssqnt5003.ssq.local")

| where ActionType == "LogonFailed"

| join

    (IdentityLogonEvents

    | where ActionType == "LogonFailed"

    | where Protocol == "Kerberos")

on AccountSid

******************************************************************************

 

//summarize: optimize this operator

EmailEvents

| where Timestamp > ago(1h)

| summarize by NetworkMessageId, SenderFromAddress

 

EmailEvents

| where Timestamp > ago(1h)

| project NetworkMessageId, SenderFromAddress

 

EmailEvents

| where Timestamp > ago(1h)

| summarize by SenderFromAddress, RecipientEmailAddress

 

EmailEvents

| where Timestamp > ago(1h)

| summarize hint.shufflekey = RecipientEmailAddress count() by Subject, RecipientEmailAddress

 

**********************************************************************************

 

 

//The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares.

 

DeviceNetworkEvents

| where RemotePort == 445 and Timestamp > ago(12h) and InitiatingProcessId !in (0, 4)

| summarize RemoteIPCount=dcount(RemoteIP) by DeviceName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessFileName

| where RemoteIPCount > 10

 

**********************************************************************************

 

 

//tokens, security of the device, events concerning a device

DeviceEvents

| extend parsed=parse_json(AdditionalFields)

| extend MediaClass = tostring(parsed.ClassName)

| extend MediaDeviceId = tostring(parsed.DeviceID)

| extend MediaDescription = tostring(parsed.SerialNumber)

| extend MediaSerialNumber = tostring(parsed.SerialNumber)

| extend MediaDeviceId == "SWD\\WPDBUSENUM\\{27bbb2ee-b1bd-11e9-b7fa-806e6ff6e6963}#000000000100000"

| project Timestamp, DeviceId, MediaClass, MediaDeviceId, MediaSerialNumber, MediaDescription, parsed

| order by Timestamp desc

  • Facebook - Black Circle
  • Twitter - Black Circle

© 2023 by IT SERVICES.  Proudly created with Wix.com

bottom of page