Merge pull request #187 from sei-nitc/master

Create Insider Threat Detection Queries

Author: tali-ash

Exfiltration/detect-archive-exfiltration-to-competitor.md

@@ -0,0 +1,54 @@
+# Detect Exfiltration to Competitor Organization
+
+This query can be used to detect instances of a malicious insider creating a file archive and then emailing that archive to an external "competitor" organization.
+
+## Query
+
+```
+EmailEvents
+| where RecipientEmailAddress contains "competitor"
+and AttachmentCount >=1
+| join (
+EmailAttachmentInfo
+//| where isnotempty(SHA256)
+)on NetworkMessageId
+| join (
+DeviceFileEvents
+| where InitiatingProcessFileName in ("7z.exe", "7zG.exe", "AxCrypt.exe", "BitLocker.exe", "Diskcryptor.exe", "GNUPrivacyGuard.exe", "GPG4Win.exe", "PeaZip.exe", "VeraCrypt.exe", "WinRAR.exe", "WinZip.exe")
+| project FileName, SHA256
+) on FileName
+```
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|------------------------|----------|-------|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  | 
+| Privilege escalation |  |  |
+| Defense evasion |  |  | 
+| Credential Access |  |  | 
+| Discovery |  |  | 
+| Lateral movement |  |  | 
+| Collection |  |  | 
+| Command and control |  |  | 
+| Exfiltration | v |  | 
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+
+## Contributor info
+
+**Contributor:** SEI National Insider Threat Center
+
+**GitHub alias:** sei-nitc
+
+**Organization:** Carnegie Mellon University Software Engineering Institute
+
+**Contact info:** [email protected]
+
+© Carnegie Mellon University, 2020. All rights reserved

Exfiltration/detect-exfiltration-after-termination.md

@@ -0,0 +1,58 @@
+# Detect Exfiltration after Termination
+
+This query can be used to explore any instances where a terminated individual (i.e. one who has an impending termination date but has not left the company) downloads a large number of files from a non-Domain network address.
+
+## Query
+
+```
+// Look for any activity for terminated employee creating a NetworkCommunicationEvents after they announced termination or resignation
+let TermAccount = 'departing.employee'; //Enter the departing employee's username
+let ReleaseTime = datetime("MM/DD/YYY 00:00:00"); //Enter the date the resignation or termination was announced
+DeviceNetworkEvents
+| where InitiatingProcessAccountName =~ TermAccount
+| where Timestamp  > ReleaseTime
+//| project Timestamp , DeviceName, InitiatingProcessAccountName
+| sort by Timestamp  desc
+| join 
+DeviceFileEvents on InitiatingProcessAccountName
+| where FileName endswith ".docx" or FileName endswith ".pptx" or FileName endswith ".xlsx" or FileName endswith ".pdf"
+| join DeviceNetworkInfo on DeviceId
+| where ConnectedNetworks !contains '"Category":"Domain"'  //Looking for remote, non-domain networks
+| summarize TotalFiles=count() by bin(5Minutebin=Timestamp, 5m), InitiatingProcessAccountName
+|where TotalFiles >1000 // adjust accordingly
+| project TotalFiles,5Minutebin,InitiatingProcessAccountName
+```
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|------------------------|----------|-------|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  | 
+| Privilege escalation |  |  |
+| Defense evasion |  |  | 
+| Credential Access |  |  | 
+| Discovery |  |  | 
+| Lateral movement |  |  | 
+| Collection |  |  | 
+| Command and control |  |  | 
+| Exfiltration | v |  | 
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+
+## Contributor info
+
+**Contributor:** SEI National Insider Threat Center
+
+**GitHub alias:** sei-nitc
+
+**Organization:** Carnegie Mellon University Software Engineering Institute
+
+**Contact info:** [email protected]
+
+© Carnegie Mellon University, 2020. All rights reserved

Exfiltration/detect-steganography-exfiltration.md

@@ -0,0 +1,66 @@
+# Detect Steganography Exfiltration
+
+This query can be used to detect instances of malicious users who attempt to create steganographic images and then immediately browse to a webmail URL.  This query would require additional investigation to determine whether the co-occurrance of generating a steganographic image and browsing to a webmail URL is an indication of a malicious event.
+
+## Query
+
+```
+let stegProcesses= view() {
+let stegnames = pack_array ("camouflage","crypture", "hidensend", "openpuff","picsel","slienteye","steg","xiao");
+let ProcessQuery = view()
+{
+DeviceProcessEvents
+| where Timestamp > ago(30d)
+| where ProcessCommandLine has_any (stegnames)
+};
+let FileQuery = view(){
+DeviceFileEvents
+| where FileName has_any (stegnames)
+};
+union ProcessQuery, FileQuery
+| project StegProcessTimestamp=Timestamp, DeviceName, InitiatingProcessAccountName, FileName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine};
+let WebMailUsage=view(){
+// This query finds network communication to specific webmail URL
+let webmailURLs = pack_array ("mail.google.com", "mail.yahoo.com", "mail.protonmail.com"); // Change or append additional webmail URLs
+DeviceNetworkEvents 
+| where Timestamp > ago(30d)
+and RemoteUrl contains webmailURLs};
+WebMailUsage
+| join stegProcesses on DeviceName
+| where (Timestamp - StegProcessTimestamp) between (0min..30min)
+|project StegProcessTimestamp,Timestamp,RemoteUrl,DeviceName,InitiatingProcessAccountName,FileName
+```
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|------------------------|----------|-------|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  | 
+| Privilege escalation |  |  |
+| Defense evasion |  |  | 
+| Credential Access |  |  | 
+| Discovery |  |  | 
+| Lateral movement |  |  | 
+| Collection |  |  | 
+| Command and control |  |  | 
+| Exfiltration | v |  | 
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+
+## Contributor info
+
+**Contributor:** SEI National Insider Threat Center
+
+**GitHub alias:** sei-nitc
+
+**Organization:** Carnegie Mellon University Software Engineering Institute
+
+**Contact info:** [email protected]
+
+© Carnegie Mellon University, 2020. All rights reserved