Created
November 12, 2023 12:13
-
-
Save Samirbous/4ae52f63c28df262b3edc4d7c89bbe67 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // requires 4688 - process creation audit to be enabled | |
| // EQL query | |
| process where event.action == "created-process" and | |
| not startswith~(winlog.event_data.TargetUserSid, winlog.event_data.SubjectUserSid) and | |
| winlog.event_data.TargetUserSid : "S-1-5-21-*" and not winlog.event_data.TargetUserSid: "S-1-0-0" and | |
| not process.parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\Windows\\System32\\svchost.exe", "?:\\Windows\\System32\\runtimebroker.exe") | |
| // ES|QL query - frequency based - 1 host with a unique parent and child proc running as different user identities | |
| from .ds-logs-system.security-default-* | |
| | where event.code == "4688" and winlog.event_data.TargetUserSid like "S-1-5-21-*" and winlog.event_data.SubjectUserSid like "S-1-*" and winlog.event_data.TargetUserSid != winlog.event_data.SubjectUserSid | |
| | stats cc = count(*), unique_count_host = count_distinct(host.id) by process.name, process.parent.name | |
| | where cc <= 2 and unique_count_host == 1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment