Volver al hub

Detect RTR High Risk Commands

Detects the execution of high risk commands such as - get - put - memdump - xmemdump - run - put-and-run

EDRmonitoring
FDR intermediatepor ByteRay GmbH (cql-hub.com) 1 min read

Query

// Get UI Audit Events
#repo="detections" ExternalApiType=/Remote/

// Check commands for "get", "put", "memdump", "xmemdump", "run", "put-and-run"
| array:regex("Commands[]", regex="get|put|memdump|xmemdump|run|put-and-run")

// Create unified "Commands" field
| concatArray("Commands", separator="; ", as=Commands)

// Check to make sure Commands is populated
| Commands=*

// Aggregate results
| groupBy([UserName, AgentIdString], function=([collect([Commands])]))
| groupBy([UserName], function=([count(AgentIdString, as=SystemsAccssed), collect([Commands])]))

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.