Nterl0k - T1033 Query.exe usage on remote devices. #3267
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nasbench
requested changes
Jan 7, 2025
detections/endpoint/windows_system_remote_discovery_with_query.yml
Outdated
Show resolved
Hide resolved
detections/endpoint/windows_system_remote_discovery_with_query.yml
Outdated
Show resolved
Hide resolved
detections/endpoint/windows_system_remote_discovery_with_query.yml
Outdated
Show resolved
Hide resolved
detections/endpoint/windows_system_remote_discovery_with_query.yml
Outdated
Show resolved
Hide resolved
detections/endpoint/windows_system_remote_discovery_with_query.yml
Outdated
Show resolved
Hide resolved
nasbench
reviewed
Jan 7, 2025
| @@ -0,0 +1,57 @@ | |||
| name: Windows System Remote Discovery With Query | |||
There was a problem hiding this comment.
Just noticed that we also have ad03bfcf-8a91-4bc2-a500-112993deba87 focusing on user discovery. In an edge case where a user would use
query user /sever: they would both match creating an inflated score.
We perhaps need to exclude the "/server" flag from the other rule to focus only on local queries
There was a problem hiding this comment.
Agreed, I noticed the duplicate firing in our environment and choose to alter risk scoring on the user discovery correlation accordingly.
I can agree this is a bit of an overlap in coverage with the existing detection, but feel the lateral movement aspect adds more risk.
….yml Good suggestion Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
….yml EID updates Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
Bulk commit on risk score and grammar Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
Updating with drilldowns
observables update
|
This would pass if I didn't put the testing data in the wrong folder |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Details
More specific detection of Query.exe being used against remote devices.
Pending splunk/attack_data#931
Checklist
<platform>_<mitre att&ck technique>_<short description>nomenclatureNotes For Submitters and Reviewers
buildCI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, its also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong, but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers and we'll be happy to help troubleshoot it.