Server Oriented Cmdlet And User Oriented Cmdlet used
| Id | 7bce901b-9bc8-4948-8dfc-8f68878092d5 |
| Rulename | Server Oriented Cmdlet And User Oriented Cmdlet used |
| Description | Detect if a server oriented cmdlet and a user oriented cmdlet that are monitored are launched by the same user in the same server within a 10 minutes timeframe |
| Severity | High |
| Tactics | Exfiltration Persistence Collection |
| Techniques | T1020 T1098 T1114 |
| Required data connectors | ESI-ExchangeAdminAuditLogEvents |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Exchange Security - Exchange On-Premises/Analytic Rules/ServerOrientedWithUserOrientedAdministration.yaml |
| Version | 1.2.0 |
| Arm template | 7bce901b-9bc8-4948-8dfc-8f68878092d5.json |
let timeframe = 1d;
let spanoftime = 10m;
let threshold = 0;
ExchangeAdminAuditLogs
| where TimeGenerated > ago(2 * timeframe)
| where isempty(UserOriented)
| project serverExecutedTime = TimeGenerated,
ServerCmdlet = CmdletName,
ServerCmdletParams = CmdletParameters,
Computer,
Caller,
ServerCmdletTargetObject = TargetObject
| join kind= inner (
ExchangeAdminAuditLogs
| where TimeGenerated > ago(timeframe)
| where UserOriented =~ 'Yes'
| project userExecutedTime = TimeGenerated,
UserCmdlet = CmdletName,
UserCmdletParams = CmdletParameters,
Computer,
Caller,
UserCmdletTargetObject = TargetObject,
userPrincipalName,
objectGUID,
sAMAccountName,
IsVIP)
on Computer, Caller
| where userExecutedTime - serverExecutedTime < spanoftime
| extend TimeDelta = userExecutedTime - serverExecutedTime
| extend TimeDeltaInverse = serverExecutedTime - userExecutedTime
| where tolong(TimeDelta) >= threshold or tolong(TimeDeltaInverse) >= threshold
relevantTechniques:
- T1020
- T1098
- T1114
name: Server Oriented Cmdlet And User Oriented Cmdlet used
triggerThreshold: 0
tactics:
- Exfiltration
- Persistence
- Collection
severity: High
id: 7bce901b-9bc8-4948-8dfc-8f68878092d5
status: Available
requiredDataConnectors:
- dataTypes:
- Event
connectorId: ESI-ExchangeAdminAuditLogEvents
kind: Scheduled
query: |
let timeframe = 1d;
let spanoftime = 10m;
let threshold = 0;
ExchangeAdminAuditLogs
| where TimeGenerated > ago(2 * timeframe)
| where isempty(UserOriented)
| project serverExecutedTime = TimeGenerated,
ServerCmdlet = CmdletName,
ServerCmdletParams = CmdletParameters,
Computer,
Caller,
ServerCmdletTargetObject = TargetObject
| join kind= inner (
ExchangeAdminAuditLogs
| where TimeGenerated > ago(timeframe)
| where UserOriented =~ 'Yes'
| project userExecutedTime = TimeGenerated,
UserCmdlet = CmdletName,
UserCmdletParams = CmdletParameters,
Computer,
Caller,
UserCmdletTargetObject = TargetObject,
userPrincipalName,
objectGUID,
sAMAccountName,
IsVIP)
on Computer, Caller
| where userExecutedTime - serverExecutedTime < spanoftime
| extend TimeDelta = userExecutedTime - serverExecutedTime
| extend TimeDeltaInverse = serverExecutedTime - userExecutedTime
| where tolong(TimeDelta) >= threshold or tolong(TimeDeltaInverse) >= threshold
description: |
'Detect if a server oriented cmdlet and a user oriented cmdlet that are monitored are launched by the same user in the same server within a 10 minutes timeframe'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Exchange Security - Exchange On-Premises/Analytic Rules/ServerOrientedWithUserOrientedAdministration.yaml
triggerOperator: gt
queryPeriod: 1d
queryFrequency: 1d
version: 1.2.0
entityMappings:
- entityType: Mailbox
fieldMappings:
- columnName: userPrincipalName
identifier: MailboxPrimaryAddress
- columnName: userPrincipalName
identifier: Upn
- entityType: Host
fieldMappings:
- columnName: Computer
identifier: FullName
- entityType: Host
fieldMappings:
- columnName: ServerCmdletTargetObject
identifier: HostName
- entityType: Account
fieldMappings:
- columnName: Caller
identifier: Name
- columnName: objectGUID
identifier: ObjectGuid