Forge
New repositoryImport repositoryNew issue
Your repositories Your dashboard Sign in

cloudflare/Azure-Sentinel

Public

mirrored fromhttps://github.com/cloudflare/Azure-Sentinel

Watch0Fork0Star0
CodeCommitsIssuesPull requestsActionsInsightsSecurity
6e452f8108bb29f7e759ee71fa4d38000be328f3

Branches

Tags

  • No tags available.
0Branches0Tags
Go to file
Add file
Code

Clone

HTTPS

Download ZIP

Azure-Sentinel/Hunting Queries/SecurityEvent

Hunting Queries/SecurityEvent/cscript_summary.txt

32lines · modecode

RawDownload
Changed technique to tactic in hunting queries5b77dc3
7 years ago
1// Name: Cscript script daily summary breakdown
2//
3// Id: 36abe031-962d-482e-8e1e-a556ed99d5a3
4//
5// Description: breakdown of scripts running in the environment
6//
7// DataSource: #SecurityEvent
8//
9// Tactics: #Execution
10//
11let ProcessCreationEvents=() {
12let processEvents=SecurityEvent
13| where EventID==4688
14| project EventTime=TimeGenerated, ComputerName=Computer,AccountName=SubjectUserName, AccountDomain=SubjectDomainName,
15FileName=tostring(split(NewProcessName, '\\')[-1]),
16ProcessCommandLine = CommandLine,
17InitiatingProcessFileName=ParentProcessName,InitiatingProcessCommandLine="",InitiatingProcessParentFileName="";
18processEvents;
19};
20// Daily summary of cscript activity � extracting script name and parameters from commandline:
21ProcessCreationEvents | where FileName =~ "cscript.exe"
22| project removeSwitches = replace(@"/+[a-zA-Z0-9:]+", "", ProcessCommandLine) // remove commandline switches
23| project CommandLine = trim(@"[a-zA-Z0-9\\:""]*cscript(.exe)?("")?(\s)+", removeSwitches) // remove the leading cscript.exe process name
24// extract the script name:
25| project ScriptName= iff(CommandLine startswith @"""",
26 extract(@"([:\\a-zA-Z_\-\s0-9\.()]+)(""?)", 0, CommandLine), // handle case where script name is enclosed in " characters
27 extract(@"([:\\a-zA-Z_\-0-9\.()]+)(""?)", 0, CommandLine)) // handle case where script name is not enclosed in quotes
28 , CommandLine
29| project ScriptName=trim(@"""", ScriptName) , ScriptNameLength=strlen(ScriptName), CommandLine
30// extract remainder of commandline as script parameters:
31| project ScriptName, ScriptParams = iff(ScriptNameLength < strlen(CommandLine), substring(CommandLine, ScriptNameLength +1), "")
32| summarize by ScriptName, ScriptParams