From 32921dc301b688cff0b26dd0930a2423228afd54 Mon Sep 17 00:00:00 2001
From: Cam <48134597+cams-security@users.noreply.github.com>
Date: Fri, 1 Mar 2024 14:54:02 -0500
Subject: [PATCH] ZeroTier Coverage

Coverage for the ZeroTier RMM tool
---
 RMM/ZeroTier/RMM_AHQ_ZeroTier.md     | 54 ++++++++++++++++++++++++++++
 RMM/ZeroTier/RMM_Summary_ZeroTier.md | 22 ++++++++++++
 2 files changed, 76 insertions(+)
 create mode 100644 RMM/ZeroTier/RMM_AHQ_ZeroTier.md
 create mode 100644 RMM/ZeroTier/RMM_Summary_ZeroTier.md

diff --git a/RMM/ZeroTier/RMM_AHQ_ZeroTier.md b/RMM/ZeroTier/RMM_AHQ_ZeroTier.md
new file mode 100644
index 0000000..126e893
--- /dev/null
+++ b/RMM/ZeroTier/RMM_AHQ_ZeroTier.md
@@ -0,0 +1,54 @@
+# Advanced Hunting Query for ZeroTier
+
+### Create Process 
+```
+let Time_start = now(-5d);
+let Time_end = now();
+//
+let rmmProcess = 
+DeviceProcessEvents 
+| where Timestamp between (Time_start..Time_end)
+ | where CreatedProcessVersionInfoCompanyName has "zerotier" and InitiatingProcessVersionInfoCompanyName has 'zerotier'
+        or  
+        InitiatingProcessVersionInfoProductName has 'zerotier'  
+| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
+    Report=make_set(ReportId), Count=count() by DeviceId, DeviceName, AccountUpn 
+| extend rmmProcessName = 'ZeroTier' 
+; 
+rmmProcess
+```
+
+### File Signature
+```
+let Time_start = now(-5d);
+let Time_end = now();
+//
+let rmmFileSig = 
+DeviceFileCertificateInfo
+| where Timestamp between (Time_start..Time_end)
+| where Signer has 'Zerotier'
+| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
+    Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
+| extend rmmFileSigName = 'ZeroTier' 
+;
+rmmFileSig
+```
+
+### Network Connection
+```
+let Time_start = now(-5d);
+let Time_end = now();
+//
+let rmmNetwork = 
+DeviceNetworkEvents
+| where Timestamp between (Time_start..Time_end)
+| where RemoteUrl has 'zerotier.com'
+    and InitiatingProcessVersionInfoCompanyName has 'ZeroTier'
+    and InitiatingProcessVersionInfoProductName has 'ZeroTier'
+| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
+    Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
+    AccountUpn, RemoteUrl 
+| extend rmmNetworkName = 'ZeroTier'
+;
+rmmNetwork
+```
\ No newline at end of file
diff --git a/RMM/ZeroTier/RMM_Summary_ZeroTier.md b/RMM/ZeroTier/RMM_Summary_ZeroTier.md
new file mode 100644
index 0000000..1a0d0fe
--- /dev/null
+++ b/RMM/ZeroTier/RMM_Summary_ZeroTier.md
@@ -0,0 +1,22 @@
+# Remote Monitioring and Management (RMM) Tool Summary for UltraViewer
+
+### Company/ Project website:
+- https://www.zerotier.com/
+
+### Historical context and detail
+- 
+
+### Process Indicators
+- 
+- 
+- 
+
+### Network Indicators
+- zerotier.com
+- 
+-
+
+### File Signature Indicators
+- Zerotier 
+- ZeroTier, Inc
+- ZeroTier One