Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This query will show rare firewall rule changes using netsh utility by comparing rule names and program names from the previous day with those from the historical chosen time frame. - This technique was seen in relation to Solarigate attack but the results can indicate potential malicious activity used in different attacks. - The process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but if the results show unrelated f
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | GitHub Only |
| ID | 3dc5dc8b-160b-407e-9925-24a91e3599df |
| Severity | Low |
| Tactics | Execution |
| Techniques | T1204 |
| Required Connectors | SecurityEvents, MicrosoftThreatProtection |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
DeviceProcessEvents |
✓ | ✗ | ? | |
Event |
Source == "Microsoft-Windows-Sysmon" |
✓ | ✓ | ? |
SecurityEvent |
EventID == "1" |
✓ | ✓ | ? |
The following connectors provide data for this content item:
| Connector | Solution |
|---|---|
| ESI-Opt34DomainControllersSecurityEventLogs | Microsoft Exchange Security - Exchange On-Premises |
| SecurityEvents | Windows Security Events |
| WindowsSecurityEvents | Windows Security Events |
Solutions: Microsoft Exchange Security - Exchange On-Premises, Windows Security Events
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊