Executive Summary
Most EDR solutions are good at detecting attacks, but many look for a sequence of events before alerting your security team a problem exists. If an attacker is smart, they will spread out the sequence of events over days or even weeks evading detection by your EDR. Using your SIEM, you can build queries to detect attacks that your EDR might miss. I got this idea from attending a Black Hills Information Security conference.
Detections
The first detection I would look for is anyone running powershell or windows scripting host scripts. Most end users should not be running these commands in your environment. You will have some build in systems, such as SCCM and other automation tools that will run scripts, but you can tune your alerts to ignore. If you are running Windows Defender for endpoint on your machines, the KQL queries are very easy and listed below.
DeviceProcessEvents
| where FileName contains "powershell.exe"
If you have the AMA agent running, this is the query you need.
SecurityEvent
| where CommandLine contains "powershell.exe"
If you are running the AMA agent on a Windows Event Forwarding server, you will need to run this query.
WindowsEvent
| where EventData contains "powershell.exe"
You will need to tune these queries to make them useful and I am not going to get into how to do that here. My suggestion is to navigate to the logs in Microsoft Sentinel, and I would run the query seeing what it returns and start to filter out the noise.
Once you have the noise filtered, you can then go to automation, and create new analytics rule. I am going to upload the analytics template to my GitHub site, located here. I set the analytics rule to run every 15 minutes. Finally, you will need to create an automation rule. The rule can be an email, a post to a Teams channel or any other sort of alert you desire to setup.
The next process I would suggestion monitoring is wscript and quickassist., the KQL queries are listed below.
DeviceProcessEvents
| where FileName contains "wscript.exe"
SecurityEvent
| where CommandLine contains "wscript.exe"
DeviceProcessEvents
| where FileName contains "quickassist.exe"
SecurityEvent
| where CommandLine contains "quickassist.exe"
Detect PowerShell Attacks
This is another KQL query I have been working based on a blog post I read about detecting powershell attacks using Splunk. With the help of AI, I was able to convert it into the KQL query below. Since I am already looking for users that run powershell, I am not going to implement this query. If looking for powershell.exe is causing to many false positives, this is a detection you could implement.
DeviceProcessEvents
| where InitiatingProcessCommandLine == "Set-ExecutionPolicy 1" or
InitiatingProcessCommandLine contains "Mimikatz" or
InitiatingProcessCommandLine contains "EncodedCommand" or
InitiatingProcessCommandLine contains "Payload" or
InitiatingProcessCommandLine contains "Find-AVSignature" or
InitiatingProcessCommandLine contains "DllInjection" or
InitiatingProcessCommandLine contains "ReflectivePEInjection" or
InitiatingProcessCommandLine contains "Invoke-Shellcode" or
InitiatingProcessCommandLine contains "Invoke — Shellcode" or
InitiatingProcessCommandLine contains "Invoke-ShellcodeMSIL" or
InitiatingProcessCommandLine contains "Get-GPPPassword" or
InitiatingProcessCommandLine contains "Get-Keystrokes" or
InitiatingProcessCommandLine contains "Get-TimedScreenshot" or
InitiatingProcessCommandLine contains "Get-VaultCredential" or
InitiatingProcessCommandLine contains "Invoke-CredentialInjection" or
InitiatingProcessCommandLine contains "Invoke-NinjaCopy" or
InitiatingProcessCommandLine contains "Invoke-TokenManipulation" or
InitiatingProcessCommandLine contains "Out-Minidump" or
InitiatingProcessCommandLine contains "Set-MasterBootRecord" or
InitiatingProcessCommandLine contains "New-ElevatedPersistenceOption" or
InitiatingProcessCommandLine contains "Invoke-CallbackIEX" or
InitiatingProcessCommandLine contains "Invoke-PSInjection" or
InitiatingProcessCommandLine contains "Invoke-DllEncode" or
InitiatingProcessCommandLine contains "Get-ServiceUnquoted" or
InitiatingProcessCommandLine contains "Get-ServiceEXEPerms" or
InitiatingProcessCommandLine contains "Get-ServicePerms" or
InitiatingProcessCommandLine contains "Invoke-ServiceUserAdd" or
InitiatingProcessCommandLine contains "Invoke-ServiceCMD" or
InitiatingProcessCommandLine contains "Write-UserAddServiceBinary" or
InitiatingProcessCommandLine contains "Write-CMDServiceBinary" or
InitiatingProcessCommandLine contains "Write-UserAddMSI" or
InitiatingProcessCommandLine contains "Write-ServiceEXF"
Built-In OS Tools
The final query I would suggest implementing is a query looking for the use of build-in OS Tools. The query is listed below and will need to be tuned to avoid false positives.
DeviceProcessEvents
| where FileName == "nltest.exe" or FileName == "whoami.exe" or FileName == "net.exe" or FileName == "net1.exe" or FileName == "hostname.exe" or FileName == "systeminfo.exe" or FileName == "qprocess.exe" or FileName == "ntdsutil.exe"
| where InitiatingProcessParentFileName <> "SenseIR.exe"
| where AccountDomain <> "nt authority" and FileName == "net1.exe"
Final Thoughts
The queries listed above are very easy to implement and will aid in detecting the slow and low attacks.
You can also find them on my github site, located here.