Added logic to resolve Mitre Tactics to their relevant Urls (#396)

* T1566.001 - QR Code Phishing Attachment (Quishing) - Updated the KQL with Recipient Email address * # NSA, FBI, CISA, and Japanese Partners Release Advisory on PRC-Linked Cyber Actors - 20230928002 * Apple releases Critical Updates for Known Exploited vulnerabilities - 20231009003 * Apple releases Critical Updates for Known Exploited vulnerabilities - 20231009001 * Update T1566.001-QR-CodePhishingAttachment(Quishing).md Updated the document version number to 1.0 * Citrix Releases Security Updates for Multiple Products - 20231012001 * Updated Citrix Releases Security Updates for Multiple Products - 20231012001 * Updated Citrix Releases Security Updates for Multiple Products - 20231012001 * Added new ADS and updates * Updated Advisory number for Citrix advisory * Updated ADSs with macros for MITRE URL's * Updates libraries and requirement.txt * Removed macros for Software ID related ADS's * Added marcos to retrieve MITRE URL's * Updated requirements.txt with BeautifulSoup4 req * 20231023005-SolarWinds-ARM-ThreeCriticalRCEVulnerabilities.md * Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities - 20231025001 * VMware vCenter Server updates address out-of-bounds write and information disclosure vulnerabilities - 20231026001 * Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature - 20231027004 * Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature - 20231027004 * Apple Releases Security Advisories for Multiple Products - 20231027005 * Updated CVSS score of CVE-2023-4966 - 20231012003 * Improper Authorization Vulnerability In Confluence Data Center and Server - 20231101002 * Added logic to resolve links to MITRE tactics * Added new ADS's and updated existing ones * Updated entry to hide Lateral Movement - Webservers in Guidelines table * New Microsoft Exchange zero-days allow RCE, data theft attacks - 20231106002 --------- Co-authored-by: Joshua Hitchen (DGov) <[email protected]>
wagov · Nov 7, 2023 · 3d1c5b7 · 3d1c5b7
1 parent f2136f9
commit 3d1c5b7
Show file tree

Hide file tree

Showing 18 changed files with 400 additions and 101 deletions.
diff --git a/...s/20231106002-New-Microsoft-Exchange-zero-days-allow-RCE,-data-theft-attacks.md b/...s/20231106002-New-Microsoft-Exchange-zero-days-allow-RCE,-data-theft-attacks.md
@@ -0,0 +1,36 @@
+# New Microsoft Exchange zero-days allow RCE, data theft attacks - 20231106002
+
+## Overview
+
+Trend Micro has disclosed zero day vulnerabilities within Microsoft Exchange, which allows attackers to exploit and remotely execute arbitrary code or disclose sensitive information.
+
+## What is the vulnerability?
+
+Note: The vulnerabilities identified do not currently have any CVE's associated with them.
+
+-   [ZDI-23-1578](https://www.zerodayinitiative.com/advisories/ZDI-23-1578/) - CVSS v3 Base Score: ***7.5*** -- A remote code execution (RCE) flaw in the 'ChainedSerializationBinder' class, where user data isn't adequately validated, allowing attackers to deserialize untrusted data. Successful exploitation enables an attacker to execute arbitrary code as 'SYSTEM,' the highest level of privileges on Windows.
+-   [ZDI-23-1579](https://www.zerodayinitiative.com/advisories/ZDI-23-1579/) - CVSS v3 Base Score: ***7.1*** -- Located in the 'DownloadDataFromUri' method, this flaw is due to insufficient validation of a URI before resource access. Attackers can exploit it to access sensitive information from Exchange servers.
+-   [ZDI-23-1580](https://www.zerodayinitiative.com/advisories/ZDI-23-1580/) - CVSS v3 Base Score: ***7.1*** -- This vulnerability, in the 'DownloadDataFromOfficeMarketPlace' method, also stems from improper URI validation, potentially leading to unauthorized information disclosure.
+-   [ZDI-23-1581](https://www.zerodayinitiative.com/advisories/ZDI-23-1581/) - CVSS v3 Base Score: ***7.1*** -- Present in the CreateAttachmentFromUri method, this flaw resembles the previous bugs with inadequate URI validation, again, risking sensitive data exposure.
+
+## What is vulnerable?
+
+The vulnerability affects the following products:
+
+- Exchange
+
+## Recommendation
+
+The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)):
+
+- Microsoft has not released a fix for the issue(s) identified above. However, it is advised to update to the latest version of Exchange, and any future updates that may become available.
+
+#### Additional Details:
+-   Regarding ZDI-23-1578: Customers who have applied the August Security Updates are already protected.
+-   Regarding ZDI-23-1579: The technique described requires an attacker to have prior access to email credentials.
+-   Regarding ZDI-23-1580: The technique described requires an attacker to have prior access to email credentials, and no evidence was presented that it can be leveraged to access sensitive customer information.
+-   Regarding ZDI-23-1581: The technique described requires an attacker to have prior access to email credentials, and no evidence was presented that it can be leveraged to gain elevation of privilege.
+
+## Additional References
+
+- [New Microsoft Exchange zero-days allow RCE, data theft attacks (bleepingcomputer.com)](https://www.bleepingcomputer.com/news/microsoft/new-microsoft-exchange-zero-days-allow-rce-data-theft-attacks/)
diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-NamedPipe.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-NamedPipe.md
@@ -4,7 +4,7 @@
 Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike to compromise an environment. 
 CobaltStrike uses named pipes for communication between processes. Default beacon configs use pipes in the format "MSSE-x-server", where "x" is a number from 1 to 4 characters. 
 
-**example:**  
+**Example:**  
 "MSSE-x-server", where "x" is a number from 1 to 4 characters  
 
 **Related**  
@@ -17,6 +17,7 @@ https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named
 https://github.com/SigmaHQ/sigma/issues/253  
 https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/  
 https://redcanary.com/threat-detection-report/threats/cobalt-strike/  
+https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Command%20and%20Control/C2-NamedPipe.yaml
 
 ####  ATT&CK TACTICS<br>
 {{mitre("S0154")}}
@@ -26,16 +27,25 @@ Data Source(s): [Named Pipe](https://attack.mitre.org/datasources/DS0023)
 #### SENTINEL RULE QUERY<br>
 
 ~~~
+let selection_MSSE = dynamic([@'\MSSE-', '-server']);
+let selection_Pipename = dynamic(['\\\\postex_', '\\\\status_', '\\\\msagent_', '\\\\mojo_', '\\\\interprocess_', '\\\\samr_', '\\\\netlogon_', '\\\\srvsvc_', '\\\\lsarpc_', '\\\\wkssvc_']); // Also include the pipe "\postex_ssh_"
 DeviceEvents
 | where ActionType == "NamedPipeEvent"
-| where AdditionalFields.PipeName has_any ('MSSE-','msagent_','status_','postex_ssh_','postex_')
+| extend FileOperation_ = tostring(AdditionalFields.FileOperation)
+| extend PipeName_ = tostring(AdditionalFields.PipeName)
+| where FileOperation_ == "File created"
+| where PipeName_ has_all (selection_MSSE) or PipeName_ has_any (selection_Pipename)
+| where not(InitiatingProcessFolderPath contains "kdsstm.exe" and PipeName_ contains "kyoceradocumentsolutions") // Kyocera drivers
+//| project TimeGenerated, ActionType, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, FileOperation_, PipeName_, TenantId
+| summarize count(), earliest_Timestamp=min(TimeGenerated) by ActionType, DeviceName, InitiatingProcessParentFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, FileOperation_, PipeName_, TenantId
 ~~~
 
 #### Triage
 
-1. Inspect named pipe pattern if matching "MSSE-x-server"  
+1. Inspect named pipe pattern if matching "MSSE-x-server"
+2. Examine the InitiatingProcessFolderPath folder location, and check for any mistype on service name  
 
 
 
 #### VERSION
-Version 1.0 (date: 10/07/2023)
+Version 2.0 (date: 25/10/2023)
diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0552-AdFindExecution.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0552-AdFindExecution.md
@@ -3,23 +3,21 @@
 ####  DESCRIPTION  
 Detects the use of Adfind. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.   
 
-**example:**  
-adfind.exe -f "(objectcategory=person)" > ad_users.txt      
-
-
-objectcategory=person – Finds all person objects  
-objectcategory=computer – Finds all computers in domain  
-trustdmp – Dumps trust objects.  
-objectcategory=subnet – Finds all subnets  
-domainlist – Dumps all Domain NCs in forest in sorted DNS list format  
-dcmodes – Shows modes of all DCs in forest from config  
-adinfo – Shows Active Directory Info with whoami info.  
-dclist – Dumps Domain Controllers FQDNs.  
-computers_pwdnotreqd – Dumps users set with password not required.   
-
+**Example:**  
+> adfind.exe -f "(objectcategory=person)" > ad_users.txt      
+> 
+> objectcategory=person – Finds all person objects  
+> objectcategory=computer – Finds all computers in domain  
+> trustdmp – Dumps trust objects.  
+> objectcategory=subnet – Finds all subnets  
+> domainlist – Dumps all Domain NCs in forest in sorted DNS list format  
+> dcmodes – Shows modes of all DCs in forest from config  
+> adinfo – Shows Active Directory Info with whoami info.  
+> dclist – Dumps Domain Controllers FQDNs.  
+> computers_pwdnotreqd – Dumps users set with password not required.
 
 **Related**  
-common tool           
+Common tool           
 
 
 **Reference:**  
@@ -43,11 +41,11 @@ Data Source(s): [Command](https://attack.mitre.org/datasources/DS0017/)
 #### SENTINEL RULE QUERY   
 
 ~~~
-let c1 = dynamic(['domainlist', 'trustdmp', 'dcmodes', 'adinfo', ' dclist ', 'computer_pwdnotreqd', 'objectcategory=', '-subnets -f', 'name="Domain Admins"', '-sc u:', 'domainncs', 'dompol', ' oudmp ', 'subnetdmp', 'gpodmp', 'fspdmp', 'users_noexpire', 'computers_active', 'computers_pwdnotreqd']);
-find where 
-FileName =~ "AdFind.exe" or ProcessVersionInfoOriginalFileName =~ "AdFind.exe" or 
-InitiatingProcessFileName =~ "AdFind.exe" or InitiatingProcessVersionInfoOriginalFileName =~ "AdFind.exe" or Process =~ "AdFind.exe" or
-ProcessCommandLine has_any (c1)    
+let c1 = dynamic(['domainlist', 'trustdmp', 'dcmodes', 'adinfo', ' dclist ', 'computer_pwdnotreqd', 'objectcategory=', '-subnets -f', 'name="Domain Admins"', '-sc u:', 'domainncs', 'dompol', ' oudmp ', 'subnetdmp', 'gpodmp', 'fspdmp', 'users_noexpire', 'computers_active', 'computers_pwdnotreqd']); 
+find where FileName =~ "AdFind.exe" or ProcessVersionInfoOriginalFileName =~ "AdFind.exe" or  InitiatingProcessFileName =~ "AdFind.exe" or InitiatingProcessVersionInfoOriginalFileName =~ "AdFind.exe" or Process =~ "AdFind.exe" or ProcessCommandLine has_any (c1)     
+| where TimeGenerated between(todatetime('2023-09-01')..todatetime('2023-09-30'))
+| extend placeholder_=dynamic({'':null}) 
+| evaluate bag_unpack(column_ifexists('pack_', placeholder_))  
 ~~~
 
 
@@ -59,8 +57,8 @@ ProcessCommandLine has_any (c1)
 
 #### FalsePositive  
 
-Legitimate administrative activity    
+1. Legitimate administrative activity.
 
 
 #### VERSION  
-Version 1.0 (date: 10/07/2023)
+Version 1.1 (date: 10/07/2023)
diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-DefenderExclusions.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-DefenderExclusions.md
@@ -4,9 +4,9 @@
 ####  DESCRIPTION  
 Qbot used reg.exe to add Defender folder exceptions for folders within AppData and ProgramData.  
 
-**example:**  
-C:\Windows\system32\reg.exe ADD \"HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths\" /f /t REG_DWORD /v \"C:\ProgramData\Microsoft\Oweboiqnb\" /d \"0\"
-C:\Windows\system32\reg.exe ADD \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /f /t REG_DWORD /v \"C:\ProgramData\Microsoft\Oweboiqnb\" /d \"0\"    
+**Example:**  
+> C:\Windows\system32\reg.exe ADD \"HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths\" /f /t REG_DWORD /v \"C:\ProgramData\Microsoft\Oweboiqnb\" /d \"0\"
+> C:\Windows\system32\reg.exe ADD \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /f /t REG_DWORD /v \"C:\ProgramData\Microsoft\Oweboiqnb\" /d \"0\"    
 
 **Related**  
 Malware  
@@ -18,17 +18,22 @@ https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
 ####  ATT&CK TACTICS  
 {{ mitre("T1562.001")}}  
 
-Data source - Command  
+Data Source(s): [Process Creation](https://attack.mitre.org/datasources/DS0009/#Process%20Creation)  
 
 ####  SENTINEL RULE QUERY   
 
 ~~~
-let c1 = dynamic([@'SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths', @'SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths']);  
-find where InitiatingProcessCommandLine has_any (c1) or ProcessCommandLine has_any (c1) or CommandLine has_any (c1)   
+let selection_1 = dynamic([@'SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths', @'SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths']); 
+let selection_2 = dynamic(['ADD ', @'/t ','REG_DWORD ',@'/v ',@'/d ', '0']); 
+DeviceProcessEvents
+| where ActionType == "ProcessCreated"
+| where FolderPath endswith @'\\reg.exe'
+| where ProcessCommandLine has_any (selection_1) and ProcessCommandLine has_all (selection_2)
 ~~~
 
 ####  Triage   
-1. Inspect commands to identify Qbot activity     
+1. Inspect commands and check whether it's expected
+2. Verify on folders path and name being added into Defender exclusion  
 
 ####  Version   
-Version 1.0 (date 5/7/2023)   
+Version 1.1 (date 18/10/2023)   
diff --git a/...idelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-Exfiltratentds.dit.md b/...idelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-Exfiltratentds.dit.md
@@ -1,11 +1,11 @@
-###  T1003 - OS Credential Dumping Exfiltrate ntds.dit 
+###  T1003 - OS Credential Dumping: Exfiltrate ntds.dit 
 
 
 ####  DESCRIPTION  
 A technique by which the adversary may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password.  
 
-**example:**  
-cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\NTDS\ntds.dit C:\Windows\Temp > C:\Windows\Temp\<filename>.tmp 
+**Example:**  
+> cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\NTDS\ntds.dit C:\Windows\Temp > C:\Windows\Temp\<filename>.tmp 
 
 **Related**  
 Volt Typhoon activity
@@ -26,17 +26,20 @@ Data Source(s): [Process](https://attack.mitre.org/datasources/DS0009/), [Comman
 
 #### SENTINEL RULE QUERY<br>
 
-#### T1003.003 - OS Credential Dumping: NTDS 
-
 ~~~
 let c1 = dynamic(["ntds.dit"]); 
 find where InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_all (c1) or CommandLine has_all (c1) 
+| where TimeGenerated between(todatetime('2023-09-01')..todatetime('2023-09-30'))| extend placeholder_=dynamic({'':null}) | evaluate bag_unpack(column_ifexists('pack_', placeholder_))
 ~~~
 
 #### Triage
 
 1. Inspect which account and at what time the activity was performed  
 2. Question the user if the activity was expected and approved  
 
+#### False Positive 
+1. Back up software  
+    > "ESENTUTL.EXE" .. "C:\Program Files\Veritas\.." "\\?\...\NTDS\ntds.dit"
+
 #### VERSION
-Version 1.0 (date: 10/07/2023)
+Version 1.1 (date: 16/10/2023)
diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1003.006-OSCredentialDumping-DCSyncAD.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1003.006-OSCredentialDumping-DCSyncAD.md
@@ -5,8 +5,8 @@
 Detects Mimikatz DC sync activity    
 
 
-**example:**  
-"mimikatz.exe" "lsadump::dcsync /domain:somedomain.gov.au /user:someusername.gov.au" exit       
+**Example:**  
+> "mimikatz.exe" "lsadump::dcsync /domain:somedomain.gov.au /user:someusername.gov.au" exit       
 
 
 **Related**  
@@ -27,19 +27,27 @@ Data Source(s): [Active Directory](https://attack.mitre.org/datasources/DS0026/)
 #### SENTINEL RULE QUERY   
 
 ~~~
-let c1 = 'DCSync'; 
-find where InitiatingProcessCommandLine has c1 or ProcessCommandLine has c1 or CommandLine has c1
+let selection_properties = dynamic(['Replicating Directory Changes All','1131f6ad-9c07-11d1-f79f-00c04fc2dcd2','1131f6aa-9c07-11d1-f79f-00c04fc2dcd2','9923a32a-3607-11d2-b9be-0000f87a36b2','89e95b76-444d-4c62-991a-0facbeda640c']);
+let selection_AccessMask = '0x100';
+let filter1 = 'Window Manager';
+let filter2 = @"^(NT AUT|MSOL_)";
+let filter3 = "$";
+SecurityEvent
+| where EventID == 4662
+| where Properties has_any (selection_properties) and AccessMask == selection_AccessMask
+| where not(SubjectDomainName == filter1 or SubjectUserName matches regex filter2 or SubjectUserName endswith filter3)
+| summarize first_TimeStamp=min(TimeGenerated), last_TimeStamp=max(TimeGenerated), count(), set_SubjectDomainNAme = make_set(SubjectDomainName), set_SubjectUserName = make_set(SubjectUserName), set_Properties=make_set(Properties) by Account, Computer, TenantId
 ~~~
 
 
 #### Triage  
 
-1. Inspect the command line   
-2. If the activity is suspicious confirm if it is expected and approved. It may be as part of a pen test   
+1. Evaluate the Account and SubjectUserName, check if DC Sync expected and approved. 
 
 
 #### FalsePositive  
-Pen test activity   
+1. Valid DC Sync that is not covered by the filters; please report
+2. Local Domain Admin account used for Azure AD Connect  
 
 #### VERSION  
 Version 1.0 (date: 10/07/2023)  
diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1047-WMICCommands.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1047-WMICCommands.md
@@ -3,10 +3,10 @@
 ####  DESCRIPTION  
 The actor has executed WMIC commands to create a copy of the ntds.dit file and SYSTEM registry.   
 
-**example:**  
-wmic process call create "ntdsutil \"ac i ntds\" ifm \"create full C:\Windows\Temp\pro  
-wmic process call create "cmd.exe /c ntdsutil \"ac i ntds\" ifm \"create full C:\Windows\Temp\Pro"  
-wmic process call create "cmd.exe /c mkdir C:\Windows\Temp\tmp & ntdsutil \"ac i ntds\" ifm   
+**Example:**  
+> wmic process call create "ntdsutil \"ac i ntds\" ifm \"create full C:\Windows\Temp\pro  
+> wmic process call create "cmd.exe /c ntdsutil \"ac i ntds\" ifm \"create full C:\Windows\Temp\Pro"  
+> wmic process call create "cmd.exe /c mkdir C:\Windows\Temp\tmp & ntdsutil \"ac i ntds\" ifm   
 
 **Related**  
 Volt Typhoon activity
@@ -18,18 +18,29 @@ https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us
 ####  ATT&CK TACTICS
 {{ mitre("T1047") }}  
 
-Data source - [Command](https://attack.mitre.org/datasources/DS0017)
+Data Source(s): [Command](https://attack.mitre.org/datasources/DS0017), [Process Creation](https://attack.mitre.org/datasources/DS0009/#Process%20Creation)
 
 ####  SENTINEL RULE QUERY  ###  
+
 ~~~
-let c1 = dynamic(["wmic", "process", "create"]);  
-find where InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_all (c1) or CommandLine has_all (c1)   
+let selection_main = dynamic(['wmic.exe','powershell.exe','cmd.exe','ntdsutil.exe']);
+let selection_wmic = dynamic(["wmic", "process", "create"]); //not used
+let selection_command = dynamic(['ntdsutil','ntds','ac','i','ifm']);
+union isfuzzy=true
+(DeviceProcessEvents
+| where FolderPath has_any(selection_main)
+| where ProcessCommandLine has_all (selection_command) or InitiatingProcessCommandLine has_all (selection_command)
+),
+(SecurityEvent
+| where EventID == 4688
+| where CommandLine has_all (selection_command)
+)
 ~~~  
 
 #### Triage
 
-1. Inspect which account and at what time the activity was performed  
-2. Question the user if the activity was expected and approved  
+1. Verify the command line that ntds.dit is copied by user, and check folder location where ntds.dit was copied
+2. Confirm with user if the activity was expected and approved
 
 #### Version
-Version 1.0 (date 5/7/2023)
+Version 1.1 (date 26/10/2023)
diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-IISWebshellFileWrites.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-IISWebshellFileWrites.md
@@ -5,17 +5,17 @@
 ####  DESCRIPTION  
 Detects IIS file writes that may be web shells. Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network.   
 
-**example:**  
+**Example:**  
 NA      
 
 
 
 **Related**  
-common persistance          
+Common Persistance          
 
 
 **Reference:**  
-https://attack.mitre.org/techniques/T1505/003/    
+https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web%20Shells%20Threat%20Protection/Hunting%20Queries/Possible%20webshell%20drop.yaml
 
 
 ####  ATT&CK TACTICS  
@@ -27,22 +27,28 @@ Data Source(s): [Process](https://attack.mitre.org/datasources/DS0009/)
 #### SENTINEL RULE QUERY   
 
 ~~~
-union Device*
-| where (FileName endswith "aspx" or FileName endswith "js" or FileName endswith "php") and FolderPath has "inetpub"
-| summarize make_set(FileName), counter = count() by DeviceName
-| where counter == 1    
+let ExtensionList = pack_array('asp','aspx','aar','ascx','ashx','asmx','c','cfm','cgi','jsp','jspx','php','pl','exe','jsp','jar','py','ps1','psm1','cmd','psd1','java','wsf','vbs');
+let IncludeTemp = false; // whether to include files that contain \temp\ in their path
+DeviceFileEvents
+| where ActionType in ('FileCreated', 'FileRenamed', 'FileModified')
+| where InitiatingProcessFileName in~('w3wp.exe','httpd.exe') 
+| where FolderPath contains @'\inetpub\wwwroot\'
+| where (IncludeTemp or FolderPath  !contains @'\temp\')
+| extend extension = tolower(tostring(split(FileName,'.')[-1]))
+| where extension in (ExtensionList)  
 ~~~
 
 
 #### Triage  
 
-1. Inspect network traffic to potential web shells. Most webshells take commands via POSTs. Successfull commands are met with a "200"  
-
+1. Examine the file and the folder locations, whether it belongs there.
+2. When it's not expected, download file sample and analysed
+3. Inspect network traffic to potential web shells. Most webshells take commands via POSTs. Successfull commands are met with a "200"  
 
 #### FalsePositive  
 
-unknown    
+1. Legitimate web-application generated a file.
 
 
 #### VERSION  
-Version 1.0 (date: 10/07/2023)  
+Version 1.1 (date: 30/10/2023)