Detect URLs containing known malicious keywords or commands ASIM Web Session
| Id | 32c08696-2e37-4730-86f8-97d9c8b184c9 |
| Rulename | Detect URLs containing known malicious keywords or commands (ASIM Web Session) |
| Description | The utilization of system commands or functions in the request URL may suggest that an attacker is trying to gain unauthorized access to the environment by exploiting a vulnerable service. |
| Severity | High |
| Tactics | InitialAccess CommandAndControl |
| Techniques | T1190 T1133 T1071 |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/CommandInURL.yaml |
| Version | 1.0.1 |
| Arm template | 32c08696-2e37-4730-86f8-97d9c8b184c9.json |
let lookback = 5m;
let RiskyCommandsInUrl = materialize(externaldata(Commands: string)
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/CommandsInURL.csv"]
with(format="csv", ignoreFirstRecord=True));
let CustomRiskyCommandsInUrl = (_ASIM_GetWatchlistRaw("Web_RiskyCommandsInUrl") // Create new Watchlist and add your custom indicators(Optional)
| extend
Commands = tostring(WatchlistItem["Commands"])
| project Commands
| where isnotempty(Commands));
let CombinedRiskyCommandsInUrl = union RiskyCommandsInUrl, CustomRiskyCommandsInUrl;
let knownRiskyCommandsInUrl=toscalar(CombinedRiskyCommandsInUrl
| where isnotempty(Commands)
| summarize make_set(Commands, 1000));
// You can add more keywords to the query as necessary, depending on the specific indicators you want to detect.
_Im_WebSession (starttime=ago(lookback), eventresult='Success', url_has_any=knownRiskyCommandsInUrl)
| where isnotempty(Url)
| project Url, SrcIpAddr, SrcUsername, SrcHostname, DstIpAddr, TimeGenerated
| extend Decoded_url = url_decode(Url)
| where Decoded_url has_any (knownRiskyCommandsInUrl)
| summarize
EventCount=count(),
EventStartTime=min(TimeGenerated),
EventEndTime=max(TimeGenerated)
by SrcIpAddr, SrcUsername, SrcHostname, Url, Decoded_url, DstIpAddr
| extend
Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
severity: High
relevantTechniques:
- T1190
- T1133
- T1071
customDetails:
EventStartTime: EventStartTime
EventCount: EventCount
EventEndTime: EventEndTime
Decoded_url: Decoded_url
queryFrequency: 5m
kind: Scheduled
version: 1.0.1
name: Detect URLs containing known malicious keywords or commands (ASIM Web Session)
triggerOperator: gt
description: |
'The utilization of system commands or functions in the request URL may suggest that an attacker is trying to gain unauthorized access to the environment by exploiting a vulnerable service.'
queryPeriod: 5m
query: |
let lookback = 5m;
let RiskyCommandsInUrl = materialize(externaldata(Commands: string)
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/CommandsInURL.csv"]
with(format="csv", ignoreFirstRecord=True));
let CustomRiskyCommandsInUrl = (_ASIM_GetWatchlistRaw("Web_RiskyCommandsInUrl") // Create new Watchlist and add your custom indicators(Optional)
| extend
Commands = tostring(WatchlistItem["Commands"])
| project Commands
| where isnotempty(Commands));
let CombinedRiskyCommandsInUrl = union RiskyCommandsInUrl, CustomRiskyCommandsInUrl;
let knownRiskyCommandsInUrl=toscalar(CombinedRiskyCommandsInUrl
| where isnotempty(Commands)
| summarize make_set(Commands, 1000));
// You can add more keywords to the query as necessary, depending on the specific indicators you want to detect.
_Im_WebSession (starttime=ago(lookback), eventresult='Success', url_has_any=knownRiskyCommandsInUrl)
| where isnotempty(Url)
| project Url, SrcIpAddr, SrcUsername, SrcHostname, DstIpAddr, TimeGenerated
| extend Decoded_url = url_decode(Url)
| where Decoded_url has_any (knownRiskyCommandsInUrl)
| summarize
EventCount=count(),
EventStartTime=min(TimeGenerated),
EventEndTime=max(TimeGenerated)
by SrcIpAddr, SrcUsername, SrcHostname, Url, Decoded_url, DstIpAddr
| extend
Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
alertDetailsOverride:
alertDisplayNameFormat: User '{{SrcUsername}}' with IP '{{SrcIpAddr}}' has been identified as making request for URL '{{Url}}' that includes a recognizable malicious command
entityMappings:
- entityType: IP
fieldMappings:
- columnName: SrcIpAddr
identifier: Address
- entityType: IP
fieldMappings:
- columnName: DstIpAddr
identifier: Address
- entityType: URL
fieldMappings:
- columnName: Url
identifier: Url
- entityType: Account
fieldMappings:
- columnName: SrcUsername
identifier: FullName
- columnName: Name
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
tactics:
- InitialAccess
- CommandAndControl
status: Available
triggerThreshold: 0
tags:
- Schema: WebSession
SchemaVersion: 0.2.6
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/CommandInURL.yaml
eventGroupingSettings:
aggregationKind: AlertPerResult
id: 32c08696-2e37-4730-86f8-97d9c8b184c9
requiredDataConnectors: []
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/32c08696-2e37-4730-86f8-97d9c8b184c9')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/32c08696-2e37-4730-86f8-97d9c8b184c9')]",
"properties": {
"alertDetailsOverride": {
"alertDisplayNameFormat": "User '{{SrcUsername}}' with IP '{{SrcIpAddr}}' has been identified as making request for URL '{{Url}}' that includes a recognizable malicious command"
},
"alertRuleTemplateName": "32c08696-2e37-4730-86f8-97d9c8b184c9",
"customDetails": {
"Decoded_url": "Decoded_url",
"EventCount": "EventCount",
"EventEndTime": "EventEndTime",
"EventStartTime": "EventStartTime"
},
"description": "'The utilization of system commands or functions in the request URL may suggest that an attacker is trying to gain unauthorized access to the environment by exploiting a vulnerable service.'\n",
"displayName": "Detect URLs containing known malicious keywords or commands (ASIM Web Session)",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "DstIpAddr",
"identifier": "Address"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "Url",
"identifier": "Url"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "SrcUsername",
"identifier": "FullName"
},
{
"columnName": "Name",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/CommandInURL.yaml",
"query": "let lookback = 5m;\nlet RiskyCommandsInUrl = materialize(externaldata(Commands: string)\n [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/CommandsInURL.csv\"]\n with(format=\"csv\", ignoreFirstRecord=True));\nlet CustomRiskyCommandsInUrl = (_ASIM_GetWatchlistRaw(\"Web_RiskyCommandsInUrl\") // Create new Watchlist and add your custom indicators(Optional)\n | extend\n Commands = tostring(WatchlistItem[\"Commands\"])\n | project Commands\n | where isnotempty(Commands));\nlet CombinedRiskyCommandsInUrl = union RiskyCommandsInUrl, CustomRiskyCommandsInUrl;\nlet knownRiskyCommandsInUrl=toscalar(CombinedRiskyCommandsInUrl\n | where isnotempty(Commands)\n | summarize make_set(Commands, 1000));\n// You can add more keywords to the query as necessary, depending on the specific indicators you want to detect.\n_Im_WebSession (starttime=ago(lookback), eventresult='Success', url_has_any=knownRiskyCommandsInUrl)\n| where isnotempty(Url)\n| project Url, SrcIpAddr, SrcUsername, SrcHostname, DstIpAddr, TimeGenerated\n| extend Decoded_url = url_decode(Url)\n| where Decoded_url has_any (knownRiskyCommandsInUrl)\n| summarize\n EventCount=count(),\n EventStartTime=min(TimeGenerated),\n EventEndTime=max(TimeGenerated)\n by SrcIpAddr, SrcUsername, SrcHostname, Url, Decoded_url, DstIpAddr\n| extend\n Name = iif(SrcUsername contains \"@\", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),\n UPNSuffix = iif(SrcUsername contains \"@\", tostring(split(SrcUsername, '@', 1)[0]), \"\")\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"InitialAccess"
],
"tags": [
{
"Schema": "WebSession",
"SchemaVersion": "0.2.6"
}
],
"techniques": [
"T1071",
"T1133",
"T1190"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}