Server Oriented Cmdlet And User Oriented Cmdlet used
| Id | 7bce901b-9bc8-4948-8dfc-8f68878092d5 |
| Rulename | Server Oriented Cmdlet And User Oriented Cmdlet used |
| Description | Detect if a server oriented cmdlet and a user oriented cmdlet that are monitored are launched by the same user in the same server within a 10 minutes timeframe |
| Severity | High |
| Tactics | Exfiltration Persistence Collection |
| Techniques | T1020 T1098 T1114 |
| Required data connectors | ESI-ExchangeAdminAuditLogEvents |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Exchange Security - Exchange On-Premises/Analytic Rules/ServerOrientedWithUserOrientedAdministration.yaml |
| Version | 1.2.0 |
| Arm template | 7bce901b-9bc8-4948-8dfc-8f68878092d5.json |
let timeframe = 1d;
let spanoftime = 10m;
let threshold = 0;
ExchangeAdminAuditLogs
| where TimeGenerated > ago(2 * timeframe)
| where isempty(UserOriented)
| project serverExecutedTime = TimeGenerated,
ServerCmdlet = CmdletName,
ServerCmdletParams = CmdletParameters,
Computer,
Caller,
ServerCmdletTargetObject = TargetObject
| join kind= inner (
ExchangeAdminAuditLogs
| where TimeGenerated > ago(timeframe)
| where UserOriented =~ 'Yes'
| project userExecutedTime = TimeGenerated,
UserCmdlet = CmdletName,
UserCmdletParams = CmdletParameters,
Computer,
Caller,
UserCmdletTargetObject = TargetObject,
userPrincipalName,
objectGUID,
sAMAccountName,
IsVIP)
on Computer, Caller
| where userExecutedTime - serverExecutedTime < spanoftime
| extend TimeDelta = userExecutedTime - serverExecutedTime
| extend TimeDeltaInverse = serverExecutedTime - userExecutedTime
| where tolong(TimeDelta) >= threshold or tolong(TimeDeltaInverse) >= threshold
relevantTechniques:
- T1020
- T1098
- T1114
name: Server Oriented Cmdlet And User Oriented Cmdlet used
requiredDataConnectors:
- dataTypes:
- Event
connectorId: ESI-ExchangeAdminAuditLogEvents
entityMappings:
- fieldMappings:
- identifier: MailboxPrimaryAddress
columnName: userPrincipalName
- identifier: Upn
columnName: userPrincipalName
entityType: Mailbox
- fieldMappings:
- identifier: FullName
columnName: Computer
entityType: Host
- fieldMappings:
- identifier: HostName
columnName: ServerCmdletTargetObject
entityType: Host
- fieldMappings:
- identifier: Name
columnName: Caller
- identifier: ObjectGuid
columnName: objectGUID
entityType: Account
triggerThreshold: 0
id: 7bce901b-9bc8-4948-8dfc-8f68878092d5
tactics:
- Exfiltration
- Persistence
- Collection
version: 1.2.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Exchange Security - Exchange On-Premises/Analytic Rules/ServerOrientedWithUserOrientedAdministration.yaml
queryPeriod: 1d
kind: Scheduled
queryFrequency: 1d
severity: High
status: Available
description: |
'Detect if a server oriented cmdlet and a user oriented cmdlet that are monitored are launched by the same user in the same server within a 10 minutes timeframe'
query: |
let timeframe = 1d;
let spanoftime = 10m;
let threshold = 0;
ExchangeAdminAuditLogs
| where TimeGenerated > ago(2 * timeframe)
| where isempty(UserOriented)
| project serverExecutedTime = TimeGenerated,
ServerCmdlet = CmdletName,
ServerCmdletParams = CmdletParameters,
Computer,
Caller,
ServerCmdletTargetObject = TargetObject
| join kind= inner (
ExchangeAdminAuditLogs
| where TimeGenerated > ago(timeframe)
| where UserOriented =~ 'Yes'
| project userExecutedTime = TimeGenerated,
UserCmdlet = CmdletName,
UserCmdletParams = CmdletParameters,
Computer,
Caller,
UserCmdletTargetObject = TargetObject,
userPrincipalName,
objectGUID,
sAMAccountName,
IsVIP)
on Computer, Caller
| where userExecutedTime - serverExecutedTime < spanoftime
| extend TimeDelta = userExecutedTime - serverExecutedTime
| extend TimeDeltaInverse = serverExecutedTime - userExecutedTime
| where tolong(TimeDelta) >= threshold or tolong(TimeDeltaInverse) >= threshold
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7bce901b-9bc8-4948-8dfc-8f68878092d5')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7bce901b-9bc8-4948-8dfc-8f68878092d5')]",
"properties": {
"alertRuleTemplateName": "7bce901b-9bc8-4948-8dfc-8f68878092d5",
"customDetails": null,
"description": "'Detect if a server oriented cmdlet and a user oriented cmdlet that are monitored are launched by the same user in the same server within a 10 minutes timeframe'\n",
"displayName": "Server Oriented Cmdlet And User Oriented Cmdlet used",
"enabled": true,
"entityMappings": [
{
"entityType": "Mailbox",
"fieldMappings": [
{
"columnName": "userPrincipalName",
"identifier": "MailboxPrimaryAddress"
},
{
"columnName": "userPrincipalName",
"identifier": "Upn"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "Computer",
"identifier": "FullName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "ServerCmdletTargetObject",
"identifier": "HostName"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Caller",
"identifier": "Name"
},
{
"columnName": "objectGUID",
"identifier": "ObjectGuid"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Exchange Security - Exchange On-Premises/Analytic Rules/ServerOrientedWithUserOrientedAdministration.yaml",
"query": "let timeframe = 1d;\nlet spanoftime = 10m;\nlet threshold = 0;\nExchangeAdminAuditLogs \n | where TimeGenerated > ago(2 * timeframe)\n | where isempty(UserOriented)\n | project serverExecutedTime = TimeGenerated,\n ServerCmdlet = CmdletName,\n ServerCmdletParams = CmdletParameters,\n Computer,\n Caller,\n ServerCmdletTargetObject = TargetObject\n | join kind= inner (\n ExchangeAdminAuditLogs\n | where TimeGenerated > ago(timeframe)\n | where UserOriented =~ 'Yes'\n | project userExecutedTime = TimeGenerated,\n UserCmdlet = CmdletName,\n UserCmdletParams = CmdletParameters,\n Computer,\n Caller,\n UserCmdletTargetObject = TargetObject,\n userPrincipalName,\n objectGUID,\n sAMAccountName,\n IsVIP)\n on Computer, Caller\n | where userExecutedTime - serverExecutedTime < spanoftime\n | extend TimeDelta = userExecutedTime - serverExecutedTime\n | extend TimeDeltaInverse = serverExecutedTime - userExecutedTime\n | where tolong(TimeDelta) >= threshold or tolong(TimeDeltaInverse) >= threshold\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Collection",
"Exfiltration",
"Persistence"
],
"techniques": [
"T1020",
"T1098",
"T1114"
],
"templateVersion": "1.2.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}