Carissa CarissaDurko
CarissaDurko
/ gist:62d09bdef7c7189897cf04658cdfa856
Created
July 7, 2025 19:15
KQL Password File Query
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DeviceFileEvents | |
| | where FileName has_any("password", "credentials", "logins", "log in") | |
| | where not(FileName endswith ".svg" or FileName endswith ".gif" or FileName endswith ".css" or FileName endswith ".png" or FileName endswith ".js" or FileName contains "Keeper" or FileName endswith ".dll" or FileName endswith ".sh" or FileName contains "reprompt" |
CarissaDurko
/ gist:b2f5723903eeb9fdb359e97b252329f8
Created
July 7, 2025 19:10
KQL User Click Events
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| UrlClickEvents | |
| | where AccountUPN == "user@domain.com" | |
| | project TimeStamp, Url, IsClickedThrough, UrlChain, Workload, DetectionMethods, ThreatTypes |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| IdentityLogonEvents | |
| | where TimeStamp > ago(30d) | |
| | where ActionType == "LogonFailed" | |
| | where AccountDomain == "enterdomainhere.com" | |
| | where FailureReason contains ("Locked") |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @echo off | |
| REM ----------------------------------------------- | |
| REM Uninstall-Tenable.bat | |
| REM Stops the Tenable/Nessus service and uninstalls the MSI | |
| REM ----------------------------------------------- | |
| REM 1) Stop the Tenable/Nessus service (adjust the name if needed) | |
| set SERVICE="Tenable Nessus Agent" | |
| REM 2) Define GUIDS if needed for hardcoding |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $msiProductCodes = @( | |
| '{GUID}' | |
| ) | |
| $paths = @( | |
| "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall", | |
| "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall" | |
| ) | |
| foreach ($path in $paths) { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Single MSI GUID to remove | |
| $guid = '{GUID}' | |
| # 1) Stop any Tenable/Nessus services so the MSI can uninstall cleanly | |
| # Adjust the service names as needed for your environment. | |
| Get-Service -DisplayName '*Tenable*','*Nessus*' -ErrorAction SilentlyContinue | | |
| Stop-Service -Force -ErrorAction SilentlyContinue | |
| # 2) Run the silent uninstall | |
| Write-Output "Starting uninstall of $guid..." |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SELECT url,title,datetime(last_visit_time/ 1000000 + (strftime('%s','1601-01-01')),'unipoch','localtime') | |
| FROM urls | |
| ORDER BY last_visit_time DESC |
CarissaDurko
/ gist:f542c89ac39d946b26b1c8567574f4d9
Created
July 7, 2025 17:58
KQL Malicious IP Blocks by Domain
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AADSignInEventsBeta | |
| | where ErrorCode == 50053 | |
| | where TimeStamp > ago(30d) | |
| | where AccountUPN has "enterdomainhere.com" | |
| | project AccountDisplayName, AccountUPN, AccountObjectId, DeviceName, UserAgent, ClientAppUsed, Browser, Country |