This artifact is used to compare other artifacts from two different hunts. The basic idea is that a baseline (Hunt 1) is created from selected artifacts before an attack. A second hunt (Hunt 2) can then be carried out after the attack using the same artifacts. Now, using this script, artifacts from both hunts can be compared. This allows legitimate activities to be filtered out and makes it easier to identify malicious activities in Hunt2.
Furthermore, when comparing artifacts, it is necessary to select columns (here the identifying_column) that should be used for the comparison in both artifacts, since a comparison of complete data sets leads to errors. Because many artifacts contain timestamps that update. The use of values such as hashes therefore makes sense.
For example, the following artifacts and their identifying columns can be used to compare to a baseline:
name: Server.Hunt.Comparison
author: Denis Kiffer
description: |
This artifact is used to compare other artifacts from two different hunts. The basic idea is that a baseline (Hunt 1) is created from selected artifacts before an attack. A second hunt (Hunt 2) can then be carried out after the attack using the same artifacts. Now, using this script, artifacts from both hunts can be compared. This allows legitimate activities to be filtered out and makes it easier to identify malicious activities in Hunt2.
Furthermore, when comparing artifacts, it is necessary to select columns (here the identifying_column) that should be used for the comparison in both artifacts, since a comparison of complete data sets leads to errors. Because many artifacts contain timestamps that update. The use of values such as hashes therefore makes sense.
For example, the following artifacts and their identifying columns can be used to compare to a baseline:
- Windows.System.Pslist - Hash
- Windows.Forensics.Prefetch - Hash
- Windows.Sysinternals.Autoruns - SHA-256
- Windows.Sys.AllUsers - Name
reference:
- https://www.sans.org/white-papers/37192/
type: SERVER
parameters:
- name: Baseline_Hunt_1_id
description: id of the hunt that was executed before an attack
- name: Hunt_2_id
description: id of hunt that was executed during or after an attack and is supposed to be compared to the Baseline_Hunt_1
- name: Artifact_name
description: This is the artefact that should be compared and which was executed in the Baseline_Hunt_1 and Hunt_2
- name: Identifying_column
description: column of the selected artefact that should be compared
sources:
- query: |
--Select baseline hunt
Let Baseline = SELECT *,"Baseline" AS Sourcehunt FROM hunt_results(
artifact=Artifact_name,
hunt_id=Baseline_Hunt_1_id)
--Select second hunt to compare
Let Hunt2 = SELECT *, "Hunt2" AS Sourcehunt FROM hunt_results(
artifact=Artifact_name,
hunt_id=Hunt_2_id)
--Get List of systems to compare to each other
Let Systems = SELECT Fqdn FROM Baseline GROUP BY Fqdn
--Fuse both hunts
Let Hunts_fused = SELECT * FROM chain(
a={SELECT * FROM Hunt2},
b={SELECT * FROM Baseline},async=TRUE)
--Loop through each system and count how many appearances of the value from the selected identifying_column there are
Let CountallRows = SELECT * FROM foreach(
row=Systems.Fqdn,
query={SELECT *, count() AS TotalCount FROM Hunts_fused WHERE Fqdn=_value GROUP BY get(member=Identifying_column)})
--Show all lines where the value in the identifying_column only appears once
SELECT * FROM CountallRows WHERE TotalCount=1