Azure-Sentinel/Solutions/Windows Security Events/Hunting Queries/CreateDCInstallationMedia.yaml at master · Azure/Azure-Sentinel · GitHub

Name: Azure-Sentinel/Solutions/Windows Security Events/Hunting Queries/CreateDCInstallationMedia.yaml at master · Azure/Azure-Sentinel · GitHub
Rating: 4.6 (815 reviews)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
id: 7e5f3a9a-542c-417a-a429-4ed500c5c4d8
name: Domain controller installation media creation
description: |
 'This hunting query helps to detect attempts to create installation media from domain controllers, either remotely or locally using a commandline tool called ntdsutil. These media are intended to be used in the installation of new domain controllers.'
requiredDataConnectors:
 - connectorId: WindowsSecurityEvents
dataTypes:
 - SecurityEvent
 - connectorId: WindowsForwardedEvents
dataTypes:
 - WindowsEvent
tactics:
 - CredentialAccess
relevantTechniques:
 - T1003
tags:
 - VoltTyphoon
query: |
 (union isfuzzy=true
 (SecurityEvent
 | where EventID == 4688
 | where CommandLine has_all ("ntdsutil", "ac i ntds", "create full")
 | project TimeGenerated, Computer, Account, Process, ProcessId, NewProcessName, NewProcessId, CommandLine, ParentProcessName, _ResourceId, SourceComputerId, SubjectLogonId, SubjectUserSid
 ),
 (WindowsEvent
 | where EventID == 4688
 | extend CommandLine = tostring(EventData.CommandLine)
 | where CommandLine has_all ("ntdsutil", "ac i ntds", "create full")
 | extend NewProcessName = tostring(EventData.NewProcessName), NewProcessId = tostring(EventData.NewProcessId)
 | extend Process=tostring(split(NewProcessName, '\\')[-1]), ProcessId = tostring(EventData.ProcessId)
 | extend Account = strcat(EventData.SubjectDomainName,"\\", EventData.SubjectUserName)
 | extend ParentProcessName = tostring(EventData.ParentProcessName)
 | extend SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectLogonId = tostring(EventData.SubjectLogonId)
 | project TimeGenerated, Computer, Account, Process, ProcessId, NewProcessName, NewProcessId, CommandLine, ParentProcessName, _ResourceId, SubjectUserName, SubjectDomainName, SubjectLogonId
 )
 )
entityMappings:
 - entityType: Account
fieldMappings:
 - identifier: FullName
columnName: Account
 - entityType: Host
fieldMappings:
 - identifier: FullName
columnName: Computer
 - entityType: Process
fieldMappings:
 - identifier: ProcessId
columnName: Process
version: 1.0.1